Visual Studio 2017 gives 'Adding the Certificate to The Trusted Root Certificates store failed with the following Errror'

Question

I am trying to run ASP MVC application with SSL mode set to true and whenever i run the application, i get prompt to trust the IIS Express SSL certificate. Upon clicking Yes, it gives the error message 'Adding the Certificate to The Trusted Root Certificates store failed with the following Errror. Access is denied'. I am running my Visual Studio 2017 as administrator mode. I have also deleted localhost certificate by going to MMC. Has anyone else run into this issue.

SOLN: This is what worked for me. deleted all localhost certificates. ran repair IIS Express in Add/Remove Programs. Copy and pasted localhost certificate from Personal/Certificate to Trusted Root Certificates and it didn't complain anymore.

Answer 1

My team is running Docker and .Net 7. We found that we were missing the "User Secrets" for Kestral to run. I found the solution here: Adding the certificate to the Trusted Root Certificates store failed with the following error: Failed to create the certificate.

Our Secrets file was missing and needed to look like this (I changed the value in case it matters):

{
    "Kestrel:Certificates:Development:Password": "111111-111-1111-1111-11111"
}

Answer 2

I tried all of your solutions. But did not get it to work. One thing I solution that instantly worked was to open PowerShell in administrator, and then run this, which deletes all your old localhost keys, adds new ones and adds them to the trusted rootcertificates folder:

$cert = New-SelfSignedCertificate -DnsName "localhost", "localhost" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(5);
$thumb = $cert.GetCertHashString();

For ($i=44300; $i -le 44399; $i++) {
    netsh http delete sslcert ipport=0.0.0.0:$i
};

For ($i=44300; $i -le 44399; $i++) {
    netsh http add sslcert ipport=0.0.0.0:$i certhash=$thumb appid=`{214124cd-d05b-4309-9af9-9caa44b2b74a`} 
};

$StoreScope = 'LocalMachine';
$StoreName = 'root';

$Store = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $StoreName, $StoreScope; $Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite);
$Store.Add($cert);

$Store.Close();

Source: https://steffbeckers.eu/blog/iis-express-localhost-ssl-certificate-reset

Answer 3

On ASP.NET 6 Core project - I tried a myriad of the answers posted here to no avail. Eventually I found myself on this MS Learn article.

Following that tutorial to a T finally seemed to fix the issue. Not sure how the end result was different than what half of the suggestions here were, but it worked when the other methods didn't.

Note: On step 4c, I needed to click Browse and check Show Physical Stores, and select the Local Computer subfolder of Trusted Root Certification Authorities, otherwise the import would fail with Access Denied again.

Answer 4

In visual studio 2022 .NET 6 Project I am fetching this problem. I found solution in https://developercommunity.visualstudio.com/t/adding-the-certificate-to-the-trusted-root-certifi-1/1576614

If we install .NET 6 SDK on Visual Studio 2022 Installation time, it automatically install 64 bit version. You need to install the 32-bit (note: not 64) Net 6 SDK. Everything works fine thereafter.

Download link: https://dotnet.microsoft.com/en-us/download/dotnet/6.0

Answer 5

I encountered this problem when upgrading from Visual Studio 2019 to 2022. I had previously done a manual export/import of the IIS Express certificate from Certificates (Local Computer) -> Personal to Certificates (Local Computer) -> Trusted Root Certification Authorities, to fix an issue with VS2019.

I assumed VS2022 would be happy with the same certificate, but not so - I started getting the error messages shown above.

What I did to fix it was:

1. Delete all localhost certificates from both Personal and Trusted Root (I did it for Current User and Local Computer)
2. Repair IIS Express, to generate a new certificate
3. Restart VS2022, run my app in Debug mode, and let VS handle the trusting of the certificate (reply "Yes" when prompted to trust it) - it did this successfully and I have had no problems since.

Answer 6

In the terminal run:

dotnet dev-certs https -c

This will let you know if you have any valid self signed certs.

You can then run:

dotnet dev-certs https --check --trust

This will let you know if you have any trusted self signed certs.

If you have expired or untrusted dev certs you can run:

dotnet dev-certs https --clean

This will remove the certs.

If you want to add a cert/trusted cert you can run:

dotnet dev-certs https --trust

This will create a self signed cert and attempt to add it to the Trusted Root Certification Authorities folder.

If this fails you will need to manually add the cert to the Trusted Root Certification Authorities folder.

Manually adding the cert:

1. The first step is to type in the 'Type here to search' section on windows "run" once run is opened type "mmc" and hit ok. This will pull up the console root.

2. You will then have to click on: file -> Add/Remove snap-in -> certificates -> add and then click ok. This will take you to the Certificates for the current user

3. Expand the Personal folder and then click on the Certificates folder. Scroll until you find a cert with the name 'localhost'

Now you might be able to just copy and paste the localhost file into the Trusted Root folder. If that works then you're done! You can verify if it worked by running the command:

   dotnet dev-certs https --check --trust.

If that did not work and you still have an untrusted cert then you will have to follow the steps below.

4. Right Click on the localhost cert and then click on 'All Tasks' and then click 'Export...' We need to first export the cert before we can import it to the Trust Root folder

5. Follow the Certificate export wizard. You do not have to change the defaults so just keep clicking next until you reach the 'File to export' screen. Click browse and select your desktop as the destination and name the file 'localhost'. Click next and then finish. This will create a file on your desktop with the name localhost.cer

6. Now double click on the localhost.cer file on your desktop. A popup should appear, click the button that says 'Install Certificate...'

7. Make sure to set the store location to 'Local Machine' and click next.

8. Then select 'Place all certificates in the following store', click browse, and then select 'Trusted Root Certification Authorities' and click finish

The last step is to make sure the cert is now trusted so in the terminal run:

 dotnet dev-certs https --check --trust

You should get a response stating: A trusted certificate was found. That means you're good to go!

You no longer need the cert on your desktop so you can delete that file.

Answer 7

If anyone gets this error while using docker, chances are that it's not the real problem and you have to look into output to find it. In my case it was missing UserSecretID in .csproj file, but this error was shown.

Answer 8

You can use powershell to move the certificate from the personal store to the trusted (root) store.

$cert = (Get-Childitem cert:\LocalMachine\My | Where-Object { $_.subject -eq 'localhost' }).Thumbprint
copy-item -path cert:\LocalMachine\My\$cert -Destination cert:\LocalMachine\Root\

Answer 9

Here's my first time answer. I have solved the issue using this method.

1. In start menu type certificates, you will see option (Manage Computer Certificates) not the (Manage user Certificate) View Image

2. After that go to personal -> Certificates and find localhost

3. drag localhost to trusted root certifications Authorities -> Certificates

4. Now structure list issue resolved as first it wasn't permitting to import in user certificates.

5. So, now go to start type certificate again but instead of manage computer certificate go to manager user certificates and do the same drag and drop from personal to trusted root certification authorities -> certificate folder.

Note: In case you have deleted localhost from personal then just import it by first opening the visual studio project on chrome you will see certificate details in left of address bar and export that certificate and import that certificate to personal -> certificate folder

Answer 10

Here is another simple step by step solution in case the answers provided are not clear for you.

Step 1: Go to Windows Start and type Certificates, then click on Manage computer certificates. This would open the certificate manager window.

Step 2: Now click on the arrow on >Personal folder, then click on the Certificates folder. Now select and Delete all certificates in the folder.

Answer 11

I'm a total noob on this and wanted to share the solution I found after struggling some time and reading many posts. It is very similar to what sanjeev posted, however with more detail so if you are new to this (as myself), you can solve it faster.

If you have this issue with Visual Studio 2019 and Win 10, delete all localhost certificates at MMC: (1) cmd>run as admin>type "mmc" and press enter (2) File>Add/Remove Snap-in... (3) Select "Certificates" and click Add button (4) Select options "Computer Account" and "Local computer" (5) Console Root folder > click and expand Certificates (6) Delete all localhost certificates at different folders

Then at Control Panel>Program and Features find IIS 10.0 Express at the list, right click and select "Repair". This will create a new localhost certificate at the Certificate's "Personal" folder (at the MMC window used previously - don't forget to refresh to see this new certificate)

Copy (right click on the certificate) this certificate located in the "Personal" folder and paste it into the folder "Trusted Root Certification Authorities">"Certificates"

DELETE the localhost certificate from the "Personal" folder. There should be only one localhost certificate and located at the "Trusted Root Certification Authorities" folder

After this, it should work fine, hope you find this useful

Answer 12

My error was actually "asp.net developer certificate is not installed" but I think the solution below would still work in this case. Execute the following commands in command prompt.

dotnet dev-certs https --trust --check
echo Trust check: %errorlevel%
dotnet dev-certs https --trust -ep "%APPDATA%\ASP.NET\https\TestCert.pfx" -p TestPassword
echo Trust/Export: %errorlevel%

Reference: https://github.com/Microsoft/DockerTools/issues/147#issuecomment-420433974

Answer 13

After having struggled with this issue now for a week (using Win 10 and Visual Studio 2019 Community Edition Version 16.1.1) and trying various solutions I found out the following:

• by default the localhost certificate for IISExpress 10 gets installed in: Certificates (Local Computer) -> Personal

• Repairing IISExpress 10 (Programs -> Programs and Features) will create a new localhost certificate also in: Certificates (Local Computer) -> Personal

• Then export that certificate by saving it to a file using:

Then import that certificate into: Certificates (Local Computer) -> Trusted Root Certification Authorities

• then as user2988031 pointed out: delete the certificate from Certificates (Local Computer) -> Personal

I also tried to use "dotnet dev-crts https --trust" but that did not work for me and always produced the following error:

So to wrap it up: make shure there is only 1 localhost certificate which is in Certificates (Local Computer) -> Trusted Root Certification Authorities

Update: I just realized that after modifying the web application a few times a different error manifested and I had to go through the whole process again in order to get it to work!

Answer 14

Note: Adding the OP's solution from the question as an answer.

This is what worked for me. deleted all localhost certificates. ran repair IIS Express in Add/Remove Programs. Copy and pasted localhost certificate from Personal/Certificate to Trusted Root Certificates and it didn't complain anymore.

Repairing/reinstalling IIS Express does not appear to actually fix this issue (as of IIS Express 10), the real solution is to add the localhost certificate to Trusted Rood Certificates.

Full details for how to do this is covered by this blog post: https://blogs.iis.net/robert_mcmurray/how-to-trust-the-iis-express-self-signed-certificate

In summary,

• Open the certificate manager via "manage computer certificates" in control panel or by running certlm in a cmd prompt
• Under Personal>Certificates export the localhost cert and save it to disk
  • don't export the private key! Just export the public key.
• Under Trusted Root Certification Authorities, right click on Certificates and import the cert you just exported

Answer 15

It worked to me just running CMD > certlm and deleting the localhost certificate inside the personal folder.