Hi @rmarinho I'm going through the exact same error, with the exact same dev stack.
I've gone through all the pages suggesting to remove the certificate from system key, run the --clean and --trust commands but nothing works.

Does anyone have further ideas on what to try next? It'd be greatly appreciated. Thank you.

@rmarinho thanks for contacting us.

Could you check a few things?
Do you have any "localhost" certificate on your keychain? (If so, assuming that it is an asp.net core generated one)
Can you remove it manually?
Also check on the system certificates for the same certificate and remove it from there too.

Can you run dotnet dev-certs https --check and report the exit code?

Hi, I removed the one I had, same error, but it does create a new one on keychain.
I didn't have any on system certificates only on the login keychain.

iRuiMSFT-MBP:~ rmarinho$ dotnet dev-certs https --check
A valid HTTPS certificate was found but it may not be accessible across security partitions. Run dotnet dev-certs https to ensure it will be accessible during development.

Can you try and run security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9 <<login-keychain>> from the command-line and see if it succeeds? (replacing <<logi-keychain>> with your actual keychain path)

I managed to resolve this.

• Create a self-signed certificate
• Run on command line dotnet tool install --global dotnet-dev-certs
• Restart your box

I struggled with that error related to the security partitions. It's so weird. I'm still not aware as of what's the root cause of it.

• Run on command line dotnet tool install --global dotnet-dev-certs

You shouldn't do this, or I'm not sure it has any effect, as the dotnet-dev-certs tool is bundled with the SDK and I believe those will take preference.

This issue most likely has to do with notarization on Mac OS. Did you download the installer for Mac OS or did you use the binary distribution? I believe both should be notarized, but that can be the root of the issue

I downloaded the installer for Mac OS. Maybe version 3.1 didn't include the dev-certs. Would that be the case? --check option showed me that (no certs included).

Certs are not included, the certs are generated on the machine. Are you using macOS Catalina (10.15.4 Beta (19E242d)) ?

@javiercn I think my last dotnet sdk was installed by Visual Studio for Mac update system.

I m on the latest beta ( 10.15.4 Beta (19E250c)

Queuing in ✋

Same problem. What worked like 3 weeks ago, all of a sudden stopped. I cleaned up through dotnet dev-certs https --clean, but dotnet dev-certs https --trust then asks me to provide the password for my login.keychain-db and rejects it. I even reset it through security set-keychain-password, without success.

=== Visual Studio Community 2019 for Mac ===

Version 8.4.8 (build 2)
Installation UUID: ddc1ff0c-8d88-428e-8706-9c5852e78933
    GTK+ 2.24.23 (Raleigh theme)
    Xamarin.Mac 5.16.1.25 (issue-7441-d16-3-vsmac / 881172e73)

    Package version: 606000166

=== Mono Framework MDK ===

Runtime:
    Mono 6.6.0.166 (2019-08/d9001b5ae70) (64-bit)
    Package version: 606000166

=== Roslyn (Language Service) ===

3.4.0-beta4-19562-05+ff930dec4565e2bc424ad3bf3e22ecb20542c87d


=== .NET Core SDK ===

SDK: /usr/local/share/dotnet/sdk/3.1.102/Sdks
SDK Versions:
    3.1.102
    3.1.101
    3.1.100
    3.0.101
    3.0.100
    2.2.402
    2.1.802
MSBuild SDKs: /Library/Frameworks/Mono.framework/Versions/6.6.0/lib/mono/msbuild/Current/bin/Sdks

=== .NET Core Runtime ===

Runtime: /usr/local/share/dotnet/dotnet
Runtime Versions:
    3.1.2
    3.1.1
    3.1.0
    3.0.1
    3.0.0
    2.2.7
    2.1.15
    2.1.14
    2.1.13


=== Build Information ===

Release ID: 804080002
Git revision: 4f35aa7e44fb398379e512d0bfd6f8df8d34b5ac
Build date: 2020-02-27 16:16:52+00
Build branch: release-8.4
Xamarin extensions: 4f35aa7e44fb398379e512d0bfd6f8df8d34b5ac

=== Operating System ===

Mac OS X 10.15.3
Darwin 19.3.0 Darwin Kernel Version 19.3.0
    Thu Jan  9 20:58:23 PST 2020
    root:xnu-6153.81.5~1/RELEASE_X86_64 x86_64

@aspnetde Are you also in the Mac OS Catalina beta?

Are you also in the Mac OS Catalina beta?

@javiercn Nope. Regular version.

@aspnetde can you provide the details about the error? (console output, etc.)

You can try and run the command manually and see if that fixes the issue?

You can try and run the command manually and see if that fixes the issue?

As stated in my first comment, I already did that (following the docs).

Here is another failed round:

thomas@TB-MBP-2017 ~ % dotnet dev-certs https --check     
A valid HTTPS certificate was found but it may not be accessible across security partitions. Run dotnet dev-certs https to ensure it will be accessible during development.
thomas@TB-MBP-2017 ~ % dotnet dev-certs https --clean     
Cleaning HTTPS development certificates from the machine. This operation might require elevated privileges. If that is the case, a prompt for credentials will be displayed.
HTTPS development certificates successfully removed from the machine.
thomas@TB-MBP-2017 ~ % dotnet dev-certs https --check
No valid certificate found.
thomas@TB-MBP-2017 ~ % dotnet dev-certs https --trust     
A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:
'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'
This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/2.1/troubleshootcertissues
A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:
'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'
This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/3.1/troubleshootcertissues
Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command:
'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <<certificate>>'
This command might prompt you for your password to install the certificate on the system keychain.
Password:
password to unlock /Users/thomas/Library/Keychains/login.keychain-db: 
keychain: "/Users/thomas/Library/Keychains/login.keychain-db"
version: 512
class: 0x0000000F 
attributes:
    0x00000000 <uint32>=0x0000000F 
    0x00000001 <blob>="<key>"
    0x00000002 <blob>=<NULL>
    0x00000003 <uint32>=0x00000001 
    0x00000004 <uint32>=0x00000000 
    0x00000005 <uint32>=0x00000000 
    0x00000006 <blob>=0xFB53860E4AA8B4728D5B0FEF29B3090935FBD083  "\373S\206\016J\250\264r\215[\017\357)\263\011\0115\373\320\203"
    0x00000007 <blob>=<NULL>
    0x00000008 <blob>=0x7B38373139316361322D306663392D313164342D383439612D3030303530326235323132327D00  "{87191ca2-0fc9-11d4-849a-000502b52122}\000"
    0x00000009 <uint32>=0x0000002A  "\000\000\000*"
    0x0000000A <uint32>=0x00000800 
    0x0000000B <uint32>=0x00000800 
    0x0000000C <blob>=0x0000000000000000 
    0x0000000D <blob>=0x0000000000000000 
    0x0000000E <uint32>=0x00000000 
    0x0000000F <uint32>=0x00000000 
    0x00000010 <uint32>=0x00000001 
    0x00000011 <uint32>=0x00000000 
    0x00000012 <uint32>=0x00000001 
    0x00000013 <uint32>=0x00000000 
    0x00000014 <uint32>=0x00000001 
    0x00000015 <uint32>=0x00000000 
    0x00000016 <uint32>=0x00000001 
    0x00000017 <uint32>=0x00000000 
    0x00000018 <uint32>=0x00000000 
    0x00000019 <uint32>=0x00000000 
    0x0000001A <uint32>=0x00000000 
security: SecKeychainItemSetAccessWithPassword: The user name or passphrase you entered is not correct.
thomas@TB-MBP-2017 ~ % dotnet dev-certs https --check
A valid HTTPS certificate was found but it may not be accessible across security partitions. Run dotnet dev-certs https to ensure it will be accessible during development.
thomas@TB-MBP-2017 ~ % 

I'm having the same issue.

when running
Command:
dotnet dev-certs https -c
Results:
A valid HTTPS certificate was found but it may not be accessible across security partitions. Run dotnet dev-certs https to ensure it will be accessible during development.

Command:
dotnet dev-certs https -t -v
Results:
security: SecKeychainItemCopyAccess: The specified item is no longer valid. It may have been deleted from the keychain. Listing 'HTTPS' certificates on 'CurrentUser\My'. '1' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY CN=localhost - 4AED6BC2B253402E22B060BC1FB646EBEDA33D37 - 3/5/2020 9:48:35 PM - 3/5/2021 9:48:35 PM - True Checking certificates for validity. Listing valid certificates '1' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY CN=localhost - 4AED6BC2B253402E22B060BC1FB646EBEDA33D37 - 3/5/2020 9:48:35 PM - 3/5/2021 9:48:35 PM - True Listing invalid certificates '0' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY Listing 'HTTPS' certificates on 'LocalMachine\My'. '0' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY Checking certificates for validity. Listing valid certificates '0' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY Listing invalid certificates '0' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY Filtering found certificates to those with a subject equal to 'CN=localhost' '1' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY CN=localhost - 4AED6BC2B253402E22B060BC1FB646EBEDA33D37 - 3/5/2020 9:48:35 PM - 3/5/2021 9:48:35 PM - True Listing certificates excluded from consideration. '0' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY Failed to make certificate key accessible Exception message: Error making the key accessible across partitions. Something went wrong. The HTTPS developer certificate could not be created.

Mac Os Version:

We are also having this issue!

I was facing the issue as well. Found out that the issue started with the installation of ASP Net Core SDK 3.1.102. I'm using Mac OS 10.15.3 Beta.

After I removed the SDK 3.1.102, the issue went away.

Use this to remove SDK 3.1.102
sudo rm -rf /usr/local/share/dotnet/sdk/3.1.102
sudo rm -rf /usr/local/share/dotnet/shared/Microsoft.NETCore.App/3.1.2
sudo rm -rf /usr/local/share/dotnet/shared/Microsoft.AspNetCore.App/3.1.2
sudo rm -rf /usr/local/share/dotnet/host/fxr/3.1.2

What I notice while investigating between SDK 3.1.101 and SDK 3.1.102 for the localhost cert is that 3.1.102 is missing the localhost self-signed on System and the login localhost self-signed cert is not marked as always trusted whereas SDK 3.1.101 had both login and System localhost self-signed cert and both are set at always trust for all of the trust level.

For me, i couldn't find /usr/local/share/dotnet/host/fxr/3.1.102.
Instead i removed /usr/local/share/dotnet/host/fxr/3.1.2 and worked.

For me, i couldn't find /usr/local/share/dotnet/host/fxr/3.1.102.
Instead i removed /usr/local/share/dotnet/host/fxr/3.1.2 and worked.

My bad, it's 3.1.2 for the file in fxr. I'm writing based off my memory as I had already removed those files. Updated my steps

There are many reports on this thread, so I'm going to try and give some manual steps on how to potentially address/mitigate this issue while we investigate:
See here for instructions on how to remove, make accessible across partitions and trust certificates manually.

For those affected, I suggest you do as follows:

• Clean up your certificates manually.
• Create a new certificate with dotnet dev-certs https
  
  
  
  • If this step fails to make the certificate accessible across partitions, make it accessible across partitions try and make it accessible across partitions manually following the instructions in the gist provided above.
  
  
  • If the instructions for making the certificate accessible across partition fail, follow the instructions below.
  
  
  • To unblock yourself, get the SHA256 signature of the certificate (you can do so in keychain access by inspecting the certificate)
    
    
  
  
  • Create a file with the name certificate.<<sha256>>.sentinel inside ~/.dotnet/
  
  
• Trust the certificate manually by exporting the certificate from Keychain Access and trusting it security add-trusted-cert as described in the document.

Important details for this issue

In order for us to help investigate this issue, the following information will help us:

• OS Version
• List of installed SDKs
  
  
  
  • If you remember the order in which they got installed, include that.
  
  
  • Did you run a binary distribution side by side (from a downloaded .tar.gz)?
  
  
  • Were all the SDKs you installed notarized?
  
  
  • Hint: If the installer was not notarized Mac OS would have blocked the installation and you would have had to manually unblock it.
  
  
  • Does following the steps described above fix your issue?
  
  
  • If it does not, can you provide details of what manual step fails and the output of the command.
  
  
  • If it does, please provide the concrete set of steps that you followed as that will help us narrow down the issue and help other people workaround it.
  
  

I was facing the issue as well. Found out that the issue started with the installation of ASP Net Core SDK 3.1.102. I'm using Mac OS 10.15.3 Beta.

After I removed the SDK 3.1.102, the issue went away.

For me, everything was fine until I updated the SDK, but this solved the problem.
I just removed that SDK version and re-generated my certificates:

sudo rm -rf /usr/local/share/dotnet/sdk/3.1.102
sudo rm -rf /usr/local/share/dotnet/shared/Microsoft.NETCore.App/3.1.2
sudo rm -rf /usr/local/share/dotnet/shared/Microsoft.AspNetCore.App/3.1.2
sudo rm -rf /usr/local/share/dotnet/host/fxr/3.1.2

• dotnet dev-certs https --clean
• dotnet dev-certs https -t

Thank you @frozenfroze!!

Important update

This is an ongoing issue in the latest SDK version (3.1.102) that we are still investigating.
To workaround this issue follow these steps:

• Make sure you open Keychain Access and delete all the localhost certificates in the login keychain and in the system keychain that were created by ASP.NET Core.
• Open bash in the terminal.
• Create a temporary folder and cd into it.
• Run the following script https://gist.github.com/javiercn/d04855b7a3581bf97d1ab9597935413f#file-generate-sh

You can find PID of securityd process and run log stream --process <PID> . That should provide additional insight into what is going on at OS level. (systemd is the processed managing access to KeyChain items)
Also, this may be counterintuitive but it matters if 'dotnet' is self comes from 3.1 or not. (as all versions override same binary so sequence matters and list of available sdks is only hint) )
You can check with codesign -v -d --entitlements --extract-certificates /usr/local/share/dotnet/dotnet (or what ver path) to see if signed or unsigned binary is used.

I am also having serious troubles with this. I had the problem 2 weeks ago and fixed it based on the comments from @frozenfroze I added docker support which was not successful, so I smashed the project, cloned from github and now the problem is back again.

I am unable to even created the dev certificate. Any progress?

dotnet dev-certs https --check
No valid certificate found.

dotnet dev-certs https --clean
Cleaning HTTPS development certificates from the machine. This operation might require elevated privileges. If that is the case, a prompt for credentials will be displayed.
HTTPS development certificates successfully removed from the machine.

dotnet dev-certs https
A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:
'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'
This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/2.1/troubleshootcertissues
A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:
'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'
This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/3.1/troubleshootcertissues
Something went wrong. The HTTPS developer certificate could not be created.

dotnet --info
.NET Core SDK (reflecting any global.json):
Version: 3.1.201
Commit: b1768b4ae7

Runtime Environment:
OS Name: Mac OS X
OS Version: 10.14
OS Platform: Darwin
RID: osx.10.14-x64
Base Path: /usr/local/share/dotnet/sdk/3.1.201/

Host (useful for support):
Version: 3.1.3
Commit: 4a9f85e9f8

.NET Core SDKs installed:
3.0.100 [/usr/local/share/dotnet/sdk]
3.1.101 [/usr/local/share/dotnet/sdk]
3.1.200 [/usr/local/share/dotnet/sdk]
3.1.201 [/usr/local/share/dotnet/sdk]

.NET Core runtimes installed:
Microsoft.AspNetCore.App 3.0.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.1.1 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.1.3 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 2.1.13 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.15 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.16 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 3.0.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.1 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.3 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
https://aka.ms/dotnet-download

make sure your KeyChain is unlocked @fcbogle. I would also recommend to use KeyChain and look for any localhost certificates.

Hi @wfurt thanks for your comments.
I have done what you suggest (spent hours trying to debug this). Here is the output from my machine. I upgraded my macos to catalina last night. System details and key management output below:

dotnet --info
.NET Core SDK (reflecting any global.json):
Version: 3.1.201
Commit: b1768b4ae7

Runtime Environment:
OS Name: Mac OS X
OS Version: 10.15
OS Platform: Darwin
RID: osx.10.15-x64
Base Path: /usr/local/share/dotnet/sdk/3.1.201/

Host (useful for support):
Version: 3.1.3
Commit: 4a9f85e9f8

.NET Core SDKs installed:
3.1.201 [/usr/local/share/dotnet/sdk]

.NET Core runtimes installed:
Microsoft.AspNetCore.App 3.1.3 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 3.1.3 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
https://aka.ms/dotnet-download

=======================================================================
dotnet dev-certs https --check
No valid certificate found.
dotnet dev-certs https --trust
A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:
'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'
This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/2.1/troubleshootcertissues
A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:
'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'
This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/3.1/troubleshootcertissues
Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command:
'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <>'
This command might prompt you for your password to install the certificate on the system keychain.
There was an error saving the HTTPS developer certificate to the current user personal certificate store.

dotnet dev-certs https -t -v
A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:
'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'
This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/2.1/troubleshootcertissues
A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:
'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'
This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/3.1/troubleshootcertissues
Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command:
'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <>'
This command might prompt you for your password to install the certificate on the system keychain.
Listing 'HTTPS' certificates on 'CurrentUser\My'.
Listing 'HTTPS' certificates on 'LocalMachine\My'.
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Checking certificates for validity.
Listing valid certificates
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Listing invalid certificates
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Filtering found certificates to those with a subject equal to 'CN=localhost'
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Listing certificates excluded from consideration.
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
No valid certificates present on this machine. Trying to create one.
Saving the certificate into the certificate store.
Error saving the certificate in the certificate store 'CurrentUser\My'.
Exception message: A default keychain could not be found.
There was an error saving the HTTPS developer certificate to the current user personal certificate store.

Any chance you do this via SSH or on system where you are no logged in in the GUI?

I was able to reproduce similar failure when I ssh 127.0.0.1 first and then run same command as same user. Now, when Keychain is locked and app needs access, OS will prompt password dialog to unlock it. That is not possible via SSH (or without GUI session) and the crypto operation will fail.
If this is the case, you need to run security unlock-keychain and that will ask you for login password and it will unlock KeyChain for that session. This part is not specific to Catalina.

I also tried to generate certificate when running as "standard" user and it always fails with complain that user is not in sudden list. It may not be clear what is going on and I'm wondering if we can check this upfront or if we can get better guidance @javiercn.

I missed keychain could not be found. from your post @fcbogle when I wrote my previous response. Can you run security list-keychains and security default-keychain ?
Did you run the KeyChain Access app? You should see at least System and Login keychains there.

Hi @wfurt here is the output of those commands. Thank you for taking a look!
security list-keychains
"/Library/Keychains/System.keychain"
security default-keychain
security: SecKeychainCopyDefault: A default keychain could not be found.

Here is my Keychain:

I think the we are on right track. The list command does not show your login keychain and default is not set. When I run this on my system I get:

$ security list-keychain
    "/Users/furt/Library/Keychains/login.keychain-db"
    "/Library/Keychains/System.keychain"
$ security default-keychain
    "/Users/furt/Library/Keychains/login.keychain-db" 

now, it is curious that the app is showing Login keychain while the command line tool does not.
If you right click on the Login keychain is there option "Make Default"? And if it is, would that change output of the commands? I did not figure out how to get location of the keychain in gui but making it default may help.

Can you also verify value of HOME environmental variable? When I unset it or point it to a "wrong" location I get same output as you.

$ HOME=/tmp/boo security list-keychain
    "/Library/Keychains/System.keychain"
$ HOME=/tmp/boo security default-keychain
security: SecKeychainCopyDefault: A default keychain could not be found.

Thank you! Ok, I had to fix my $HOME environment variable which is done.
Here is the output now from the previous commands including the $HOME variable

Franks-iMac:~ frankbogle$ echo $HOME
/Users/frankbogle
Franks-iMac:~ frankbogle$ security list-keychain
    ""
    "/Users/frankbogle/Library/Keychains/login.keychain-db"
    "/Library/Keychains/System.keychain"
Franks-iMac:~ frankbogle$ security default-keychain
    "/Users/frankbogle/Library/Keychains/login.keychain-db"
Franks-iMac:~ frankbogle$

I seem to have a empty string: "" in the keychain. I can't see that in the UI

I would backup your existing keychain and you can try to delete it with security delete-keychain. However, it should be ok to have more KeyChains so you may not bother. Is the dotnet dev-certs https --trust working now for you?
Note that the HOME is used for other things as well - like package cache and other .NET files.

Hi @wfurt - success. Thank you for your help resolving this! I really appreciate your help!
dotnet dev-certs https -t -v Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command: 'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <<certificate>>' This command might prompt you for your password to install the certificate on the system keychain. Listing 'HTTPS' certificates on 'CurrentUser\My'. '1' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY CN=localhost - 16CC4B15F0AD8D8B430F55ED03709C13947BD3B7 - 30/03/2020 23:27:02 - 30/03/2021 23:27:02 - True Checking certificates for validity. Listing valid certificates '1' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY CN=localhost - 16CC4B15F0AD8D8B430F55ED03709C13947BD3B7 - 30/03/2020 23:27:02 - 30/03/2021 23:27:02 - True Listing invalid certificates '0' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY Listing 'HTTPS' certificates on 'LocalMachine\My'. '1' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY CN=localhost - 16CC4B15F0AD8D8B430F55ED03709C13947BD3B7 - 30/03/2020 23:27:02 - 30/03/2021 23:27:02 - False Checking certificates for validity. Listing valid certificates '1' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY CN=localhost - 16CC4B15F0AD8D8B430F55ED03709C13947BD3B7 - 30/03/2020 23:27:02 - 30/03/2021 23:27:02 - False Listing invalid certificates '0' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY Filtering found certificates to those with a subject equal to 'CN=localhost' '2' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY CN=localhost - 16CC4B15F0AD8D8B430F55ED03709C13947BD3B7 - 30/03/2020 23:27:02 - 30/03/2021 23:27:02 - True CN=localhost - 16CC4B15F0AD8D8B430F55ED03709C13947BD3B7 - 30/03/2020 23:27:02 - 30/03/2021 23:27:02 - False Listing certificates excluded from consideration. '0' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY Found valid certificates present on the machine. '2' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY CN=localhost - 16CC4B15F0AD8D8B430F55ED03709C13947BD3B7 - 30/03/2020 23:27:02 - 30/03/2021 23:27:02 - True CN=localhost - 16CC4B15F0AD8D8B430F55ED03709C13947BD3B7 - 30/03/2020 23:27:02 - 30/03/2021 23:27:02 - False Selected certificate '1' found matching the criteria. SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY CN=localhost - 16CC4B15F0AD8D8B430F55ED03709C13947BD3B7 - 30/03/2020 23:27:02 - 30/03/2021 23:27:02 - True Trying to export the certificate. A valid HTTPS certificate is already present.

I'm glad it worked out. I know it is not always obvious what it is going on and Catalina did not make it easier.

The issue persists on Ubuntu 18.04 while using dotnet-sdk-3.1.201.

If you have problem on Linux, open new issue @ajbozdar. All the discussion here is specific to macOS, Catalina specifically as it has distinct implementation and restrictions.
Only part relevant is that Linux also depends on HOME variable to find location of user certificate store and other .NET files.

For me, the problem is resolved by running the following commands:

• dotnet dev-certs https --clean this will clean HTTPS development certificates from the machine, it may ask you to enter your password.

Then, I run the following command:

• dotnet dev-certs https --trust

And finally, the HTTPS developer certificate was generated successfully

The solution proposed by @javiercn in its batch file worked for me, just replace the password where it belonged and that worked wonderfully! Thank you.

The scripts from @javiercn work smoothly for me as well. Thank you. It took a day for me to solve this.

This solve my problem https://dev.to/cesarcodes/troubleshooting-net-core-dev-certs-on-macos-179d.

Update

Help us troubleshoot this issue

If you are experience this issue, can you try the following things and post your results here?
Verify that the “localhost” identity is actually in the login keychain:
security find-identity -p ssl-server -s localhost ~/Library/Keychains/Login.keychain

Run the command below manually:
sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9 ~/Library/Keychains/Login.keychain

Verify if the key partition entry is present:
security dump-keychain -a ~/Library/Keychains/Login.keychain | grep -sirB 3 -A 1 UBF8T346G9

Collect a sysdiagnose (sudo sysdiagnose) and share it with us privately (Do NOT post the file on this issue)

in relation to #21592 I get this from my key chain
Looking for identities matching "localhost"

Policy: SSL (server)
Matching identities
1) 161E0C4142F4E5230E6AD64BE895E15AF57004B7 "localhost"
1 identities found

Valid identities only
1) 161E0C4142F4E5230E6AD64BE895E15AF57004B7 "localhost"
1 valid identities found
when I visually check I see two certs, one is root CA

the web ui I'm trying to run still fails with cert errors

I run the generate.sh , but it doesn't seem to work

./generate.sh
Generating a 2048 bit RSA private key
......+++
............................................................+++

writing new private key to 'key.pem'

1 identity imported.
Password:
password to unlock /Users/apple/Library/Keychains/login.keychain-db:
keychain: "/Users/apple/Library/Keychains/login.keychain-db"
version: 512
class: 0x00000011
attributes:
0x00000000 =
0x00000001 ="com.apple.AppleMediaServices.mediaToken.macappstore"
0x00000002 =
0x00000003 =
0x00000004 =
0x00000005 =
0x00000006 =
0x00000007 =
0x00000008 =
0x00000009 =0x00000000
0x0000000A =0x00000000
0x0000000B =0x00000000
0x0000000C =
0x0000000D =
0x0000000E =
0x0000000F =
0x00000010 =
0x00000011 =
0x00000012 =
0x00000013 =
0x00000014 =
0x00000015 =
0x00000016 =
0x00000017 =
0x00000018 =
0x00000019 =
0x0000001A =
security: SecKeychainItemCopyAccess: A missing value was detected.

dotnet --info
.NET Core SDK (reflecting any global.json):
Version: 3.1.201
Commit: b1768b4ae7

Runtime Environment:
OS Name: Mac OS X
OS Version: 10.15
OS Platform: Darwin
RID: osx.10.15-x64
Base Path: /usr/local/share/dotnet/sdk/3.1.201/

Host (useful for support):
Version: 3.1.3
Commit: 4a9f85e9f8

.NET Core SDKs installed:
3.0.100 [/usr/local/share/dotnet/sdk]
3.1.200 [/usr/local/share/dotnet/sdk]
3.1.201 [/usr/local/share/dotnet/sdk]

.NET Core runtimes installed:
Microsoft.AspNetCore.App 3.0.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.1.2 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.1.3 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 2.1.17 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 3.0.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.2 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.3 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

@XiaroanZhang the step that is failing is the last one, the set-key-partition-list one, so you should be fine if you try to run an app (you'll have to close and reopen the browser)

ok... so, I cleared down again. copied the workaround script into a shell file. closed all browsers and ran the script. hauled up the web ui application in VS4Mac and ran it. it requested access to the key chain (very different behaviour from all previous occasions), which I granted, and voilà... it worked.. so, my thanks to you @javiercn, but it would be great if these things weren't introduced (repeatedly) in the first place (that's a gripe). :) I'll be keeping the script for future reference... ;)

Catalina changes were not .NET choice @thales-man. I know this can be frustrating but we are only trying to keep up.

no, but you are a multi billion dollar organisation trying to get the other same place java was 20 years ago

@XiaroanZhang the step that is failing is the last one, the set-key-partition-list one, so you should be fine if you try to run an app (you'll have to close and reopen the browser)

Thank you so much.👍 It works

Hi all,

I was just having this same issue. I managed to get around it by allows trusting the localhost certificate that is generated after trying to run the application.

You still have to enter your keychain password everytime you try to run, and the terminal will still says that the app fails, but it will actually run in the browser as expected.

Hi all,

I was just having this same issue. I managed to get around it by allows trusting the localhost certificate that is generated after trying to run the application.

You still have to enter your keychain password everytime you try to run, and the terminal will still says that the app fails, but it will actually run in the browser as expected.

run the script by @javiercn in his batch file and the problem will go away. then just wait for a proper fix.

I'm here to confirm that I am also encountering this issue, and I am running on Mojave (10.14.6). What has triggered it is the installation of the 3.1.300 SDK this evening, so that I can run the new Blazor WASM bits. I have been happily developing with local HTTPS during the day, and prior to today. I was previously running SDK 3.1.100.

Diagnosis follows; important to note that I run mostly as a regular user (jim) who is not an admin or in the sudoers file. I run elevated stuff as Administrator/admin. So...

1. I've cleaned out all certs named localhost from the jim user's login keychain. Also removed it from the System keychain.
2. Running as admin I ran dotnet dev-certs https --trust and was prompted for credentials. The command completes successfully.
3. Running the security find-identity ... command as jim, I get 0 identities found, 0 identities matching.
4. Running the security find-identity ... command as admin, I get 1 identities found, 1 valid identities found.
5. The fingerprint shown at 4 matches the fingerprint on the localhost certificate that I can see in Keychain Access on the System keychain (while logged into the Mac desktop as my everyday jim user).
6. I run the sudo security set-key-partition-list ... command as admin, runs successfully.
7. I run the security dump-keychain command... but not sure what I'm looking for, the output is here -> dump-keychain.txt

If I then run a simple Kestrel web server that is configured to listen to HTTPS as admin, then everything is fine.

However if I attempt to do the same as my jim user, I get the following exception:

crit: Microsoft.AspNetCore.Server.Kestrel[0] Unable to start Kestrel. System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found or is out of date. To generate a developer certificate run 'dotnet dev-certs https'. To trust the certificate (Windows and macOS only) run 'dotnet dev-certs https --trust'. For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054. at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions, Action`1 configureOptions)

I would very much like to get back the ability to run HTTPS sites in Kestrel from my regular jim user, as I could prior to SDK 3.1.100. Thanks!

I have a sysdiagnose file that I could share to an appropriately confirmed and secure email address.

One proposal... would it be possible to update dev-certs with an option that doesn't attempt to configure the certificate as shared system-wide (on MacOS at least)? As long as there is a localhost certificate in my Login keychain, then that should be sufficient for local development?

Edit: I've uninstalled the latest version of the SDK and gone back to 3.1.100. I cleared the localhost certificate from system and login keychains of jim and admin. Generated again with dev-cert --trust as admin user. Whilst kestrel runs as jim the browser is being prompted for an untrusted certificate, which I can work around but not ideal.

FWIW. I had this issue too, along with another unrelated issue. I had € sign in my password and after changing my password to only contain, lets say more us ascii friendly characters, both of my problems were solved.

This is still broken. What helps for me is to remove all sdks until i am back on 3.1.100. Which obviously breaks with every update run made by VS.

Does anyone mind fixing this?!

@aspnetde we are working on a solution to this problem.

The latest SDK 5.0-preview4 SDK contains an updated version of the tool that fixes this issue. We have plans to patch the current LTS SDK once we have enough confidence that the new approach doesn't introduce additional issues.

Followed the steps from this link fixed the issue
troubleshoot-certificate-problems

OS X - certificate not trusted

• Open KeyChain Access.
• Select the System keychain.
• Check for the presence of a localhost certificate.
• Check that it contains a + symbol on the icon to indicate it's trusted for all users.
• Remove the certificate from the system keychain.
• Run the following commands:
  dotnet dev-certs https --clean
  dotnet dev-certs https --trust

Nothing from the above posts works. I am using Catalina 10.15.5 with SDK 5.0.100-PREVIEW.6.20318.15

Each time I run the application I am prompted to install the certificate. I enter my password, certificate gets created, but then I get:

_System.InvalidOperationException: "Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found or is out of date.\nTo generate a developer certificate run 'dotnet dev-certs https'. To trust the certificate (Windows and macOS only) run 'dotnet dev-certs https --trust'.\nFor more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054."_

Please help!

@ChadNedzlek thanks for letting us know.

Preview6 should actually work, as we switched to a different approach that doesn't have this issue. Can you give us more details about your environment?

Can you make sure that you don't have any localhost certificate in your keychain (not in the user keychain and not in the system keychain), run the tool with dotnet dev-certs https --trust and check the certificates are present on the keychain? (you might need to close and open keychain).

@javiercn Hi Javier, thanks for jumping in. I already did everything, but for troubleshooting sakes I ran it again and results are the same, see below:

1

2

3

4

5

6

7

@ChamaCR Thanks for the details. I suspect you might have an old VS 4 Mac version that is using the 3.1 SDK and that is causing issues as it is installing a second certificate with the old method (which apparently breaks on your machine).

Can you clean your keychain again (sorry for this, I know it's painful) and try to run the app from the command-line? Make sure dotnet --info reflects the preview6 SDK

@javiercn sorry for the delay, yesterday I had some errands to run. I was using latest Visual Studio for Mac version. dotnet --info did show the correct preview6 SDK version.

I ended up deleting VS + SDKs... and I am creating a bootcamp with WIN10 right now :(

@ChamaCR if that ever happens again, you can run the tool from the command-line with --debug and capture a trace with dotnet-trace. That will help us get to the bottom of it in the future.

I am experiencing the same problem. I have just updated to 3.1.301 tonight, previously having 3.1.10x (I can't remember the minor number).

I used the script from https://dotnet.microsoft.com/download/dotnet-core/scripts to install 3.1.301 first, but that didn't seem to set it up in the expected place. I would still see 3.1.10x running. So, I downloaded the package installer and that setup 3.1.301 as expected.

I used dotnet new blazorwasm -o CICalc and then dotnet run. I hit this problem. I had some 2.2.x SDKs installed, so I removed them using the dotnet uninstall tool.

I am unable to get past the stage where it generates the certificate. I can see that there is a certificate setup in the Keychain, but it is not trusted. I have tried the script linked to on this page, but it gives me the same result.

I can change the trusted setting for HTTPS in the keychain, which then allows me to proceed. I am not sure if that does all that the -trust option tries to do. Is this a sufficient workaround or will I encounter other problems?

Other details below.

Thanks,

Neil

macOS 10.15.5

% dotnet --list-sdks
3.1.301 [/usr/local/share/dotnet/sdk]

% dotnet --list-runtimes
Microsoft.AspNetCore.All 2.2.7 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.All]
Microsoft.AspNetCore.App 3.1.5 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 3.1.5 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

I have manually deleted the localhost certificate from the Keychain Access.

% dotnet dev-certs https --clean
Cleaning HTTPS development certificates from the machine. This operation might require elevated privileges. If that is the case, a prompt for credentials will be displayed.
HTTPS development certificates successfully removed from the machine.
% dotnet dev-certs https
A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:
'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'
This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/2.1/troubleshootcertissues
A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:
'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'
This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/3.1/troubleshootcertissues
Password:
password to unlock /Users/neil/Library/Keychains/login.keychain-db:
keychain: "/Users/neil/Library/Keychains/login.keychain-db"
version: 512
class: 0x00000011
attributes:
0x00000000 =
0x00000001 ="com.apple.AppleMediaServices.mediaToken.macappstore"
0x00000002 =
0x00000003 =
0x00000004 =
0x00000005 =
0x00000006 =
0x00000007 =
0x00000008 =
0x00000009 =0x00000000
0x0000000A =0x00000000
0x0000000B =0x00000000
0x0000000C =
0x0000000D =
0x0000000E =
0x0000000F =
0x00000010 =
0x00000011 =
0x00000012 =
0x00000013 =
0x00000014 =
0x00000015 =
0x00000016 =
0x00000017 =
0x00000018 =
0x00000019 =
0x0000001A =
security: SecKeychainItemCopyAccess: A missing value was detected.

On the same platform as the previous message, I ran:
% dotnet dev-certs https --verbose

The output was:

Listing 'HTTPS' certificates on 'CurrentUser\My'.
'1' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
CN=localhost - C5F12C7AACE0803C8DBCEC2F5B3650D7D8A08056 - 02/07/2020 01:19:42 - 02/07/2021 01:19:42 - True
Checking certificates for validity.
Listing valid certificates
'1' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
CN=localhost - C5F12C7AACE0803C8DBCEC2F5B3650D7D8A08056 - 02/07/2020 01:19:42 - 02/07/2021 01:19:42 - True
Listing invalid certificates
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Listing 'HTTPS' certificates on 'LocalMachine\My'.
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Checking certificates for validity.
Listing valid certificates
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Listing invalid certificates
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Filtering found certificates to those with a subject equal to 'CN=localhost'
'1' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
CN=localhost - C5F12C7AACE0803C8DBCEC2F5B3650D7D8A08056 - 02/07/2020 01:19:42 - 02/07/2021 01:19:42 - True
Listing certificates excluded from consideration.
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Failed to make certificate key accessible
Exception message: Error making the key accessible across partitions.
Something went wrong. The HTTPS developer certificate could not be created.

I'm also experiencing the exact same message from @digidol where it tells me a missing value was detected when trying to create the dev-certs via:
% dotnet dev-certs https

I'm also running MacOS Catalina 10.15.5 and the latest Visual Studio w/latest .NET Core SDK 3.1.301.

I may have a potential workaround to get debugging to work in Visual Studio, though. Here's what I did:

1. Open Visual Studio and create a new Web Application (MVC)
2. I selected .NET Core 3.1 and No Authentication (not sure if it makes a difference)
3. Run the project
4. When prompted to Run the dotnet dev-certs https command, click Cancel
5. When asked to run the application anyway, click Run
6. Visual studio should compile and run the code, and open the site in your browser, but the browser will say that the site is not trusted.
7. Click the option in the browser to proceed at your own risk, and tell it to trust the certificate. I needed to enter my password at that point.
8. After that, the site loaded fine and was still linked to the debugger.
9. Each time you want to run the app, you have to click Cancel and then Run, but the browser should remember the certificate is trusted.

Again, not a solution, but seems like a decent workaround, until the bug can be resolved. I hope this helps.

John D.

@jdelano does the script described here not fix the issue for you? https://gist.github.com/javiercn/d04855b7a3581bf97d1ab9597935413f#file-generate-sh

Thanks a lot @javiercn,
One thing; updating the script to remove previously generated localhost certificates would've been nice. If you run the script without removing existing localhost certificate(s), you will end up having multiple certificates and it will not solve the problem.

@ardaozceviz I'm not exactly sure how to do that without risking removing other localhost certificates, that's why I didn't do it. On the same gist there are instructions to remove the certs manually using keychain.

@javiercn Unfortunately, the script does not work either. I get the message that a missing value was detected.

@jdelano Is it when running this command? udo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9 $loginKeyChain; you can ignore it and it should still work. I've taken it out of the script.

@javiercn Okay, but I still get the message in Visual Studio that a valid development cert wasn't found and it needs to run the dev-certs command again. I can click cancel and the app runs, but I'm not sure how different that behavior is from what I posted above in my workaround.

@jdelano did you clean the certificates on the user and system keychain before running the script?

@javiercn Okay, I went through all the steps again, and this time it worked! I'm not sure what I missed earlier, though. Really weird. Thanks for the script, though!

@jdelano no problem, this issue should be fixed in the latest previews of .NET Core 5.0 and we'll hopefully backport it to 3.1 once we have validated it doesn't break other people.

Visual Studio fixed certificates for me after reinstallation, it just asked for AppStore password

What I noticed is that no matter how many times I run dotnet dev-certs https --clean; dotnet dev-certs https --trust it wouldn't fix the issue until I re-installed the dotnet core sdk. So I'm doing active development for two client projects - one using dotnet core 2.2 and another using dotnet core 3.1. It seems that a valid trusted localhost certificate installed using one sdk won't work in another. Re-issuing the certificate, restarting the machine, doesn't do anything. The only thing that helps was to re-install the relevant sdk each time I switch projects. It seems that Microsoft has some bug in that the sdks can't share the dotnet-dev-certs tool, and installing one sdk overwrites some files in dotnet-dev-certs. It doesn't seem very robustly built.

Hi! I'm facing the same issue, and I can't get the correct way to the solution.

macOS Catalina 10.15.6

dotnet --info
.NET Core SDK (reflecting any global.json):
Version: 3.1.302
Commit: 41faccf259

Runtime Environment:
OS Name: Mac OS X
OS Version: 10.15
OS Platform: Darwin
RID: osx.10.15-x64
Base Path: /usr/local/share/dotnet/sdk/3.1.302/

Host (useful for support):
Version: 3.1.6
Commit: 3acd9b0cd1

.NET Core SDKs installed:
3.1.302 [/usr/local/share/dotnet/sdk]

.NET Core runtimes installed:
Microsoft.AspNetCore.App 3.1.6 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 2.1.20 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.6 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
https://aka.ms/dotnet-download

I've already delete the "localhost" certificate from the keychain UI.

When I run:

security list-keychains
"/Users/fabrizio/Library/Keychains/login.keychain-db"
"/Library/Keychains/System.keychain"

security default-keychain
"/Users/fabrizio/Library/Keychains/login.keychain-db"

That looks good, but when I try to create the certificate, I can't

And about the info:
dotnet dev-certs https -t -v
A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:
'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'
This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/2.1/troubleshootcertissues
A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:
'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'
This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/3.1/troubleshootcertissues
Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command:
'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <>'
This command might prompt you for your password to install the certificate on the system keychain.
Listing 'HTTPS' certificates on 'CurrentUser\My'.
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Checking certificates for validity.
Listing valid certificates
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Listing invalid certificates
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Listing 'HTTPS' certificates on 'LocalMachine\My'.
'1' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
CN=localhost - A9F70404AAE7E48F17B9781A71FA01CFD1FB7323 - 07/21/2020 20:47:47 - 07/21/2021 20:47:47 - False
Checking certificates for validity.
Listing valid certificates
'1' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
CN=localhost - A9F70404AAE7E48F17B9781A71FA01CFD1FB7323 - 07/21/2020 20:47:47 - 07/21/2021 20:47:47 - False
Listing invalid certificates
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Filtering found certificates to those with a subject equal to 'CN=localhost'
'1' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
CN=localhost - A9F70404AAE7E48F17B9781A71FA01CFD1FB7323 - 07/21/2020 20:47:47 - 07/21/2021 20:47:47 - False
Listing certificates excluded from consideration.
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Found valid certificates present on the machine.
'1' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
CN=localhost - A9F70404AAE7E48F17B9781A71FA01CFD1FB7323 - 07/21/2020 20:47:47 - 07/21/2021 20:47:47 - False
Selected certificate
'1' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
CN=localhost - A9F70404AAE7E48F17B9781A71FA01CFD1FB7323 - 07/21/2020 20:47:47 - 07/21/2021 20:47:47 - False
Trying to export the certificate.

Thanks in advance