Visual Studio：“信任证书失败”

Question

On Windows 10/11, With Visual Studio 2017-2022, when serving a web API via HTTPS with Kestrel or IIS, Visual Studio prompts me to trust the self-signed certificate that ASP.NET Core has generated.

If I click 'Yes', I receive the following error:

Adding the certificate to the Trusted Root Certificates store failed with the following error: Failed trusting the certificate. (running Kestrel) or Access is denied. (running IIS)

Navigating to the swagger UI page via Chrome verifies that the certificate is indeed not valid and the connection is not secure.

Running dotnet dev-certs https --trust results in

There was an error trusting HTTPS developer certificate.

From certmgr I can see the ASP.NET Core HTTPS development certificate has been installed in the Current User/Personal -store. I also see the Trusted Root Certification Authorities -store, and the certificates inside.

If I try to drag and drop the certificate to the Trusted Root Certification Authorities -store, I receive the following error message:

The certificate cannot be pasted into the Trusted Root Certification Authorities -store. Access is denied.

If I try to import the certificate to said store, I receive the following error message:

The import failed because the store was read-only, the store was full, or the store did not open correctly.

If I try to install the certificate from the exported file, via 'Install certificate' -> 'Current User' -> 'Place all certificates in the following store' -> Browse , I can't see the Trusted Root Certification Authorities -store at all.

If I select the 'Certificates - Current User' -header, go to View -> Options, and enable 'Physical certificate stores' , I am able to drag and drop the certificate into the physical store Trusted Root Certification Authorities/Local Computer/Certificates

The certificate is now visible in the Trusted Root Certification Authorities store, but Visual Studio still throws the same error, browser thinks the cert is not trusted, and dotnet dev-certs https --check --trust outputs:

No valid certificate found.

If I leave the original certificate in Personal , export it without the private key and import the export into the physical store Trusted Root Certification Authorities/Local Computer/Certificates , dotnet dev-certs https --check --trust prints:

A trusted certificate was found: ...

...but the browser still thinks the cert is invalid, and Visual Studio throws the error.

Same result with dotnet run , without the trusting error in Visual Studio. It seems dotnet CLI does not check or attempt to trust the cert.

Same same but different: if I save the cert from Chrome and attempt to add it to the Trusted Root Certification Authorities via Chrome -> Settings -> Privacy and security -> Manage certificates -> Trusted Root Certification Authorities -> Import , I also receive:

The import failed because the store was read-only, the store was full, or the store did not open correctly.

I've run out of things to try, and there is probably something basic here I'm missing. What should I do?

Answer 1

So turns out that while I did delete all the localhost certificates in both user and machine stores, and reinstall IIS, somehow wrong localhost certificates were installed in the process, and I needed to delete them again, and install the one visible from the browser to the Local Computer certificates Trusted Root Certification store.

Hope this helps someone in the future. Always check your serial numbers.