[release/10.0] Add support for automatically adding the dev cert to the Windows certificate store when trusted in WSL #64986
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com>
…ecial characters Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com>
…S script Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com>
… already exists and ensure that only a single error message is shown if there's an exception
danegsta
requested review from
BrennanConroy,
DamianEdwards,
adityamandaleeka and
halter73
DamianEdwards
added
the
Servicing-consider
adityamandaleeka
approved these changes
Jan 9, 2026
wtgodbe
added
Servicing-approved
3 tasks
DamianEdwards
approved these changes
Jan 10, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #64966 to release/10.0
/cc @danegsta
Add support for automatically adding the dev cert to the Windows certificate store when trusted in WSL
When trusting the dev cert in WSL, also trust it in the Windows cert store.
Description
Updates Unix certificate trust behavior to check if running in WSL in interop mode based on well known file paths and environment variables. If so, attempt to use Windows powershell to add the dev cert to the Windows certificate store (under currentuser/root) as well with the friendly name "ASP.NET Core HTTPS development certificate (WSL)". This will allow Windows applications (particularly browsers) to trust local development traffic from .NET applications running in WSL.
Adding the certificate to only currentuser/root will allow the WSL certificate to be trusted, but Kestrel running on Windows won't attempt to use the certificate as it only looks for the dev cert in currentuser/my, so if the user wants to run dotnet apps on Windows they'd still need to run dotnet dev-certs https --trust on the Windows side to enable serving with the dev cert.
Fixes #45208
Customer Impact
On WSL when the dev cert is trusted, that trust only applies to WSL, but not to the Windows side. This leads to problems where services running on Windows or browsers don't trust the certificate from services running in WSL despite the user having run
dev-certs https --trust. The only way to fix the issue has been to manually export and copy certificates and manually add them to the Windows cert store. This automates that process when it's detected that the user is running on WSL in interop mode so that they can run Windows executables from WSL and results in the cert being trusted in both WSL and Windows.Regression?
[If yes, specify the version the behavior has regressed from]
Risk
The new logic only applies when it's detected that we're on WSL and if it fails won't break other aspects of certificate trust on Linux systems.
Verification
Packaging changes reviewed?
When servicing release/2.3