Add support for automatically adding the dev cert to the Windows certificate store when trusted in WSL #64966
+98
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
area-commandlinetools
DamianEdwards
approved these changes
Jan 7, 2026
DamianEdwards
requested review from
BrennanConroy,
adityamandaleeka and
halter73
4 tasks
Contributor
Co-authored-by: danegsta <[email protected]>
…ecial characters Co-authored-by: danegsta <[email protected]>
…S script Co-authored-by: danegsta <[email protected]>
Fix command injection vulnerability in WSL certificate trust
This was referenced Jan 8, 2026
Open
BrennanConroy
approved these changes
Jan 8, 2026
… already exists and ensure that only a single error message is shown if there's an exception
| } | ||
|
|
||
| // Check to see if we're running in WSL; if so, use powershell.exe to add the certificate to the Windows trust store as well | ||
| if (IsRunningOnWslWithInterop()) |
Member
There was a problem hiding this comment.
Do we care if the other linux checks run? Should this check if sawTrustFailure is already true?
Member
Author
There was a problem hiding this comment.
I don't think it makes sense to skip just because we saw a failure as it still makes sense to run in a partial success state. There's already a check on line 338 that will exit early if there wasn't any success trusting the certificate, so if we made it to this point the certificate was at least trusted in some capacity. We still want all the other Linux specific logic to run on WSL since the goal is to trust it in both WSL and Windows in that case.
Member
Author
|
/backport to release/10.0 |
Contributor
|
Started backporting to |
11 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add support for automatically adding the dev cert to the Windows certificate store when trusted in WSL
When trusting the dev cert in WSL, also trust it in the Windows cert store.
Description
Updates Unix certificate trust behavior to check if running in WSL in interop mode based on well known file paths and environment variables. If so, attempt to use Windows powershell to add the dev cert to the Windows certificate store (under
currentuser/root) as well with the friendly name "ASP.NET Core HTTPS development certificate (WSL)". This will allow Windows applications (particularly browsers) to trust local development traffic from .NET applications running in WSL.Adding the certificate to only
currentuser/rootwill allow the WSL certificate to be trusted, but Kestrel running on Windows won't attempt to use the certificate as it only looks for the dev cert incurrentuser/my, so if the user wants to run dotnet apps on Windows they'd still need to rundotnet dev-certs https --truston the Windows side to enable serving with the dev cert.Fixes #45208