Add logging if we detect the app host is running with an untrusted dev cert

[danegsta]

Description

It's possible, particularly after .NET SDK updates, to end up in a situation where there's a newer dev cert added to the CurrentUser/My cert store (which is the source of dev certs for TLS termination), but not to the CurrentUser/Root cert store which is where trusted certificates are pulled from. This can lead to a situation where services try to terminate HTTPS endpoints with an updated dev cert, but nothing actually trusts the new certificate. Diagnosing the issue is confusing and can require checking the logs for individual services.

This adds an explicit error level log if automatic dev cert trust is enabled and the latest certificate isn't in the trusted root store.

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No
• Does the change require an update in our Aspire docs?
  • Yes
    • Link to aspire-docs issue (consider using one of the following templates):
      • New (or update) doc-idea template
      • New breaking-change template
      • New diagnostic template
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 13943

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 13943"

[Copilot]

Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.

[Copilot]

@danegsta I've opened a new pull request, #13946, to work on those changes. Once the pull request is ready, I'll request review from you.

[davidfowl]

Logging isn't good enough, lets turn this into a notification.

[danegsta]

Logging isn't good enough, lets turn this into a notification.

Added both a notification and explicitly controlling the dev cert the dashboard uses.

[mitchdenny]

/ba-g transient template failures.

[mitchdenny]

Looks good.

[github-actions]

🎬 CLI E2E Test Recordings

The following terminal recordings are available for commit 157a72c:

Test	Recording
CreateAndDeployToDockerCompose	▶️ View Recording
CreateAndDeployToDockerComposeInteractive	▶️ View Recording
CreateAndRunAspireStarterProject	▶️ View Recording
CreateAndRunJsReactProject	▶️ View Recording
CreateAndRunPythonReactProject	▶️ View Recording
CreateEmptyAppHostProject	▶️ View Recording
CreateStartAndStopAspireProject	▶️ View Recording
CreateTypeScriptAppHostWithViteApp	▶️ View Recording
DoctorCommand_WithSslCertDir_ShowsTrusted	▶️ View Recording
DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted	▶️ View Recording
PsCommandListsRunningAppHost	▶️ View Recording

---

_{📹 Recordings uploaded automatically from CI run #21379107285}

[davidfowl]

Why

[danegsta]

I moved where the check happens to DcpHost alongside the container runtime check.

[Copilot]

@danegsta I've opened a new pull request, #14110, to work on those changes. Once the pull request is ready, I'll request review from you.

[davidfowl]

@DamianEdwards can you try this out.

[DamianEdwards]

✅ PR #13943 Validation Report - VERIFIED

PR Information

• Title: Add logging if we detect the app host is running with an untrusted dev cert
• Head Commit: 157a72cc734739e9bd3613abb5193cb646f64545
• Tested At: 2026-02-04

CLI Version Verification

• Expected Commit: 157a72cc
• Installed Version: 13.2.0-pr.13943.g157a72cc
• Status: ✅ Verified

---

Test Results

Scenario	Status	Notes
1. Basic Aspire Project Run	✅ Passed	2 resources running correctly
2. Untrusted Cert Notification	✅ Passed	Dashboard shows notification banner
3. Trusted Cert (Baseline)	✅ Passed	No notification when cert is trusted

---

Evidence

Scenario 2 - Untrusted Certificate:

• Console: ⚠ Developer certificates may not be fully trusted (trust exit code was: 4)
• Log: [Warning] Aspire.Hosting.Dcp.DcpHost: The most recent ASP.NET Core Development Certificate isn't fully trusted. Run 'dotnet dev-certs https --trust'...
• Dashboard: Notification banner visible - "Development certificate not fully trusted"

Scenario 3 - Trusted Certificate:

• Console: No cert warnings
• Log: No cert warnings
• Dashboard: No notification banner

---

Overall Result: ✅ PR VERIFIED

The PR correctly implements:

1. Warning-level logging when the dev cert is untrusted
2. Dashboard notification banner with actionable guidance (dotnet dev-certs https --trust)
3. No false positives when the certificate is properly trusted

📋 Full session log: https://gist.github.com/DamianEdwards/9a40bff87fcf4cb6bd37321673feab10