Skip to content

Aspire should prefer older trusted dev cert over newer untrusted ones. #14296

New issue
New issue
Closed
Closed
Aspire should prefer older trusted dev cert over newer untrusted ones.#14296
Labels
area-app-modelIssues pertaining to the APIs in Aspire.Hosting, e.g. DistributedApplication
@afscrome

Description

@afscrome
afscrome
opened on Feb 2, 2026

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

If you have multiple dev certs available, Aspire will prefer to use the most recent certificate (with the highest version).

However after a newer .Net SDK installation (with a new dev cert version), this can result in preferring an untrusted cert over a trusted one.

Expected Behavior

  • Aspire should prefer an untrusted cert over a newer but trusted one.
  • Aspire should log warnings on start up when it's going to use a dev cert that is not trusted on the host.

Steps To Reproduce

Clean out your dev certs

dotnet dev-certs https --clean

Run the following against on older .net sdk version. (In my case 9.0.309 generating a V3 cert)

dotnet dev-certs https --trust

Now run the following against the latest 10.x sdk. (In my case 10.0.102 generating a V6 cert)

dotnet dev-certs https

And start your app host.

Exceptions (if any)

No response

.NET Version info

No response

Anything else?

I'm currently toying around with adding some validation of this myself - where I've got to so far.

   public class DevCertValidationSubscriber : IDistributedApplicationEventingSubscriber
   {
      public Task SubscribeAsync(IDistributedApplicationEventing eventing, DistributedApplicationExecutionContext executionContext, CancellationToken cancellationToken)
      {
         eventing.Subscribe<BeforeStartEvent>(BeforeStartEvent);
         return Task.CompletedTask;
      }

      private async Task BeforeStartEvent(BeforeStartEvent evt, CancellationToken cancellationToken)
      {
#pragma warning disable ASPIRECERTIFICATES001 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
         var devCertService = evt.Services.GetRequiredService<IDeveloperCertificateService>();
#pragma warning restore ASPIRECERTIFICATES001 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.

         var logger = evt.Services.GetRequiredService<ILogger<DevCertValidationSubscriber>>();

         List<string> issues = [];

         var primaryCert = devCertService.Certificates.FirstOrDefault();
         if (primaryCert == null)
         {
            issues.Add("Developer Certificate not found");
         }
         else
         {
            if (!devCertService.SupportsContainerTrust && evt.Model.Resources.Any(x => x.Annotations.OfType<ContainerImageAnnotation>().Any()))
            {
               issues.Add("Developer Certificate does not support container host names");
            }

            var chain = new X509Chain();
            var isTrusted = chain.Build(primaryCert);

            if (!isTrusted)
            {
               issues.Add("Developer Certificate is not trusted by the OS");
            }

         }

         if (issues.Count != 0)
         {
            logger.LogWarning("Developer Certificate validation failed: {Issues}.  Please run `dotnet dev-certs https --trust` and restart the application to resolve ", issues);
         }
      }

   }

Metadata

Metadata

Assignees

No one assigned

    Labels

    area-app-modelIssues pertaining to the APIs in Aspire.Hosting, e.g. DistributedApplication

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions