Use Your Machine Name (Not Just localhost) with HTTPS on ASP.NET Core — and Make Node.js Trust It

When you run dotnet dev-certs https --trust, .NET creates and trusts a localhost-only developer certificate. That’s great for https://localhost:1234, but it won’t cover https://my-machine:1234.

If you want to reach your service by machine name (e.g., https://my-machine:7164) you need to create your own self-signed certificate that lists all the names you’ll use (machine name, localhost, and optionally 127.0.0.1) and then configure Kestrel to use it. You’ll also need to trust that certificate for browsers — and tell Node.js how to trust it.

Below are clean, copy-pasteable steps for Windows/PowerShell.

---

1) Create a self-signed certificate (.pfx) for your machine name

# Names you want this cert to cover (add/remove as needed)
$dns = @("my-machine", "localhost", "127.0.0.1")

# Create a leaf certificate in CurrentUser\My
$cert = New-SelfSignedCertificate -DnsName $dns -CertStoreLocation Cert:\CurrentUser\My

# Export a PFX with a password (change YOUR-PASSWORD and FILENAME)
$pwd = ConvertTo-SecureString "YOUR-PASSWORD" -AsPlainText -Force
Export-PfxCertificate -Cert $cert -FilePath "$env:USERPROFILE\FILENAME.pfx" -Password $pwd

Tip: Keep localhost and 127.0.0.1 in the SAN list so existing tooling continues to work.

---

2) (Optional) Replace the default dotnet dev-certs certificate

If you want your new cert to become the default dev cert:

dotnet dev-certs https --clean `
  --import "$env:USERPROFILE\FILENAME.pfx" `
  -p YOUR-PASSWORD --trust

---

3) Or: Point Kestrel to your PFX in appsettings.json

If you don’t want to replace the global dev cert, configure your app explicitly:

{
  "Kestrel": {
    "Certificates": {
      "Default": {
        "Path": "C:/Users/USER/FILENAME.pfx",
        "Password": "YOUR-PASSWORD"
      }
    }
  }
}

---

4) Trust the certificate (for browsers)

Export a .cer (public cert) from the cert you created, then import it into Trusted Root Certification Authorities for Current User.

$cer = "$env:USERPROFILE\FILENAME.cer"

# Export the public part of the certificate to .cer
Export-Certificate -Cert $cert -FilePath $cer

# Import into CurrentUser\Root (Trusted Root)
Import-Certificate -FilePath $cer -CertStoreLocation Cert:\CurrentUser\Root

Recommendation: Do not generate directly into the Trust store. Create the cert in CurrentUser\My, then export/import. Your actual private key lives with the leaf cert; keeping the flow explicit reduces mistakes.

---

5) Make it work with Node.js

Node.js 22.x

Node 22 does not use the Windows trust store by default and also doesn’t accept .cer via NODE_EXTRA_CA_CERTS. Convert the .cer to .pem and set NODE_EXTRA_CA_CERTS:

# Convert CER -> PEM (Base64)
certutil -encode C:\Users\USER\FILENAME.cer C:\Users\USER\FILENAME.pem

# For the current PowerShell session:
$env:NODE_EXTRA_CA_CERTS = "C:\Users\USER\FILENAME.pem"

# Or persist for new shells:
# setx NODE_EXTRA_CA_CERTS "C:\Users\USER\FILENAME.pem"

node

Now fetch("https://my-machine:7164/...") should stop complaining about a self-signed certificate.

Node.js 23.8+

Newer Node supports using the OS trust store directly:

node --use-system-ca your-script.js

---

6) Deleting the certificate later

If you still have the $cert object from creation:

$thumb = $cert.Thumbprint

# Remove from CurrentUser\My and delete the private key as well
Remove-Item "Cert:\CurrentUser\My\$thumb" -DeleteKey -Force

(If you no longer have $cert, find it by subject/issuer in Cert:\CurrentUser\My and remove by thumbprint.)

---

Common Gotchas

• Name mismatch: The URL’s host must be listed in the certificate’s DNS names (SAN). If you access https://my-machine:7164, my-machine must be in the cert.
• Node still failing: On Node 22, ensure NODE_EXTRA_CA_CERTS points to a PEM file, not .cer. Restart the shell or set it in the same session.
• Browser trust: Make sure you imported the public cert into Current User → Trusted Root Certification Authorities.
• Paths: Use absolute Windows paths for Kestrel’s "Path".

---

Summary

• Generate a self-signed PFX with SANs for my-machine, localhost, and 127.0.0.1.
• Either import it as the global dev cert or reference it in Kestrel.
• Export the .cer and import it into Trusted Root so browsers trust it.
• For Node: use NODE_EXTRA_CA_CERTS with a .pem (Node 22) or --use-system-ca (Node 23.8+).

This setup lets you develop and test HTTPS endpoints using your machine name, avoiding the limitations of dotnet dev-certs’ default localhost scope.