From 78fb4e2ef403bb52119436845cbf24c4ccbbc3de Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 20 Dec 2025 00:57:25 +0000
Subject: [PATCH 1/2] Initial plan


From a638666556adf833591e5fc927eaeec614c94739 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 20 Dec 2025 01:04:59 +0000
Subject: [PATCH 2/2] Filter out dev certs without
 X509SubjectKeyIdentifierExtension when any cert has it

Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com>
---
 .../DeveloperCertificateService.cs              | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/Aspire.Hosting/DeveloperCertificateService.cs b/src/Aspire.Hosting/DeveloperCertificateService.cs
index 1b13ab0ebc4..bb8a570272a 100644
--- a/src/Aspire.Hosting/DeveloperCertificateService.cs
+++ b/src/Aspire.Hosting/DeveloperCertificateService.cs
@@ -33,11 +33,22 @@ public DeveloperCertificateService(ILogger<DeveloperCertificateService> logger,
                 // so we want to ensure the certificate that will be used by ASP.NET Core is the first one in the bundle.
                 // Match the ordering logic ASP.NET Core uses, including DateTimeOffset.Now for current time: https://github.com/dotnet/aspnetcore/blob/0aefdae365ff9b73b52961acafd227309524ce3c/src/Shared/CertificateGeneration/CertificateManager.cs#L122
                 var now = DateTimeOffset.Now;
+                
+                // Get all valid ASP.NET Core development certificates
+                var validCerts = store.Certificates
+                    .Where(c => c.IsAspNetCoreDevelopmentCertificate())
+                    .Where(c => c.NotBefore <= now && now <= c.NotAfter)
+                    .ToList();
+                
+                // If any certificate has a Subject Key Identifier extension, exclude certificates without it
+                if (validCerts.Any(c => c.HasSubjectKeyIdentifier()))
+                {
+                    validCerts = validCerts.Where(c => c.HasSubjectKeyIdentifier()).ToList();
+                }
+                
                 // Take the highest version valid certificate for each unique SKI
                 devCerts.AddRange(
-                    store.Certificates
-                        .Where(c => c.IsAspNetCoreDevelopmentCertificate())
-                        .Where(c => c.NotBefore <= now && now <= c.NotAfter)
+                    validCerts
                         .GroupBy(c => c.Extensions.OfType<X509SubjectKeyIdentifierExtension>().FirstOrDefault()?.SubjectKeyIdentifier)
                         .SelectMany(g => g.OrderByDescending(c => c.GetCertificateVersion()).ThenByDescending(c => c.NotAfter).Take(1))
                         .OrderByDescending(c => c.GetCertificateVersion()).ThenByDescending(c => c.NotAfter));