Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ description: Configure HTTPS endpoints and certificate trust for Aspire resource
---

import { Aside, Tabs, TabItem } from '@astrojs/starlight/components';
import OsAwareTabs from '@components/OsAwareTabs.astro';

Aspire provides two complementary sets of certificate APIs:

Expand Down Expand Up @@ -36,7 +37,31 @@ Many of the certificate features in Aspire rely on a development certificate. Be

### Using the Aspire CLI (recommended)

The preferred way to manage the development certificate is to use the [Aspire CLI](/get-started/install-cli/). When you run `aspire run`, the CLI automatically ensures the development certificate is created and trusted. No additional manual steps are required.
The preferred way to manage the development certificate is to use the [Aspire CLI](/get-started/install-cli/). When you run `aspire run` in an interactive session, the CLI automatically ensures the development certificate is created and trusted. No additional manual steps are required.

For non-C# AppHosts (such as [TypeScript](/app-host/typescript-apphost/) or Python AppHosts), the `dotnet` first-run experience that normally creates the HTTPS development certificate never runs, because these AppHosts launch a prebuilt native binary instead of invoking `dotnet`. The Aspire CLI fills this gap when `aspire run` starts and no development certificate exists:

- In an interactive session—and on Linux, where establishing trust doesn't require a prompt—the CLI creates *and* trusts the certificate, just as it does for C# AppHosts.
- In a non-interactive session on macOS or Windows (for example, in CI), the CLI can't show the macOS Keychain password prompt or the Windows trust dialog, so it *generates* the certificate without trusting it. This lets servers such as Kestrel load the certificate from the personal store, even though it isn't trusted. If the certificate can't be generated, a warning is displayed and the run continues.

To opt out of automatic certificate generation, set the `ASPIRE_CLI_GENERATE_HTTPS_CERTIFICATE` environment variable to `false`. This mirrors the .NET SDK's `DOTNET_GENERATE_ASPNET_CERTIFICATE` opt-out:

<OsAwareTabs syncKey="terminal">
<div slot="unix">

```bash title="Disable automatic HTTPS certificate generation"
ASPIRE_CLI_GENERATE_HTTPS_CERTIFICATE=false aspire run
```

</div>
<div slot="windows">

```powershell title="Disable automatic HTTPS certificate generation"
$env:ASPIRE_CLI_GENERATE_HTTPS_CERTIFICATE="false"; aspire run
```

</div>
</OsAwareTabs>

You can also manage certificates explicitly with the Aspire CLI:

Expand Down
Loading