asp.netself-signed-certificatecertificate-authoritydotnet-dev-certs

Why does Localhost certificate disappear from Trusted Root Certification Authorities (TRCA) folder immediately after being imported


I am developing an ASP.NET application on Windows 11. To test the app, I need to create a self-signed dev certificate. However, I am unable to use the self-signed certificate because the CA certificate is missing from the TRCA folder. If I quickly refresh the folder, I can see it is there, but one or two seconds later, it is gone.

Below, I have included a dump of what happens in the command prompt (logged in as Administrator or not doesn't matter). I have also tried moving the certificate by copy/paste in certmgr, manually creating, exporting and importing the certificate using anything from certutil, netsh, makecert to New-SelfSignedCertificate.

I have deleted all the Visual Studio files in the Roaming/ASP.NET/https folder, the Local/ASP.NET/DataProtection-Keys folder and all the secrets files.

I have repaired and uninstalled/reinstalled IIS Express and tried installing/uninstalling/reinstalling/repairing multiple different versions of Visual Studio and VS Code.

No matter what I do, the certificate is created and immediately deleted from the TRCA folder.

C:\Windows\System32>dotnet dev-certs https --clean
Cleaning HTTPS development certificates from the machine. A prompt might get displayed to confirm the removal of some of the certificates.
HTTPS development certificates successfully removed from the machine.

C:\Windows\System32>dotnet dev-certs https
The HTTPS developer certificate was generated successfully.

C:\Windows\System32>dotnet dev-certs https --trust
Trusting the HTTPS development certificate was requested. A confirmation prompt will be displayed if the certificate was not previously trusted. Click yes on the prompt to trust the certificate.
Successfully trusted the existing HTTPS certificate.

C:\Windows\System32>dotnet dev-certs https --check --trust
The following certificates were found, but none of them is trusted: 1 certificate
    1) 8AC3C820AF03BC63F05179ED5762728BB38F171A - CN=localhost - Valid from 2024-06-04 13:19:17Z to 2025-06-04 13:19:17Z - IsHttpsDevelopmentCertificate: true - IsExportable: true

The PC is connected to Active Directory so could it be an "evil" Group Policy (GPO) that is causing the automatic deletion of the certificate?

Security GPOs summary


Solution

  • I have identified that the reason the certificate is deleted from Current User/TRCA is because it is synchronised with Local Machine/TRCA.

    When I add a certificate to Local Machine/TRCA then it will be automatically propagated to Current User/TRCA.

    Not sure where this is configured, but exporting and subsequently importing the dotnet dev-certs https generated localhost certificate to the Local Machine/TRCA folder will fix the problem.