SPFX Error - [trust-cert] CertUtil Error

[WymerDev]

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

Windows

What browser(s) / client(s) have you tested

• [ ] 💥 Internet Explorer
• [X] 💥 Microsoft Edge
• [ ] 💥 Google Chrome
• [ ] 💥 FireFox
• [ ] 💥 Safari
• [ ] mobile (iOS/iPadOS)
• [ ] mobile (Android)
• [ ] not applicable
• [ ] other (enter in the "Additional environment details" area below)

Additional environment details

• browser version - Version 116.0.1938.69 (Official build) (64-bit)
• SPFx version - 1.17.4
• [email protected]
• [email protected]
• [email protected]
• Node.js version - v16.13.0 OS - Win 11 Pro

Describe the bug / error

I have been getting this error after trying to execute gulp trust-dev-cert on a new web part project and haven't been able to fix it, please kindly help. I followed the set up process here https://learn.microsoft.com/en-us/sharepoint/dev/spfx/set-up-your-development-environment and also tried in my other PC but still throws the same error. I am executing this statement from the webpart solution folder. It does give me the Certificate installation prompt for localhost and after the error is thrown, it creates rushstack-serve.key, rushstack-serve.pem files in .rushstack folder. Here is the error:

Thank you.

Steps to reproduce

1. Install node v16.13.0
2. install gulp cli, yoeman and sharepoint generator
3. Create webpart with the generator scaffolding
4. Run gulp trust-dev-cert

Expected behavior

certificate successfully installed and running gulp serve would bring up the workspace

[nick-pape]

Hi @WymerDev , I just tried to repro this locally but didn't see the issue.

Are you seeing an issue when you actually do a gulp serve and test on a SharePoint page (e.g. workbench)? You would basically see an error around non-https resources being attempted to be loaded.

Can you try running gulp untrust-dev-cert and then retry gulp trust-dev-cert?

Last, the prompt should elevate, but it may be worth trying to run command prompt with Run As Administrator before running the gulp trust-dev-cert command.

[WymerDev]

Hi @nick-pape I get this before doing gulp serve and when I execute this command it just throws this error "The existing development certificate is not currently trusted by your system. Untrust the certificate and generate a new one, or set the canGenerateNewCertificate parameter to true when calling ensureCertificateAsync." I have tried gulp untrust-dev-cert and then retry gulp trust-dev-cert but I keep getting the same CertUtil Error with Task errors:1. And yes I am using Windows PowerShell with elevated perms (Admin) .

Thank you for looking into it.

[nick-pape]

Looking into the error further... The code for this task is public here. It uses the CertificateManager from rushstack here.

The error looks like is written here when setting the friendly name.

I see several issues with this code:

1. The code is writing the (empty) stderr from certutil.exe to stderr, which overall makes SPFx build tools believe this task has failed, despite this step appearing to be "optional".
2. We aren't writing certutil.exe's stdout anywhere, which makes this issue hard to debug.
3. The code that is calling _trySetFriendlyNameAsync is lacking an await (here)[https://github.com/microsoft/rushstack/blame/main/libraries/debug-certificate-manager/src/CertificateManager.ts#L746]. So the warning specific to this step isn't appearing.

---

1st - learn why setting friendly name is failing

Can you try opening the node_modules/@rushstack/debug-certificate-manager/lib/CertificateManager.js locally and adding the following line:

Then run gulp trust-dev-cert --verbose and post the output.

This should give us an idea why setting friendly name is failing. If we can resolve that issue first you will be unblocked sooner than waiting for a code change.

---

2nd - update the following 2 lines and see if you are able to serve via https

After doing step 1 above.

Change both lines to be a warning instead of an error:

Add an await where this is called:

Run gulp trust-dev-cert --verbose twice. The first time you should see the warning. The second time you should see something like:

Then run gulp serve and test out the webpart on the workbench and post any errors you get (would be relating to https).

[WymerDev]

Hi @nick-pape. Thank you for the steps. I updated the js file as advised and followed the steps to get these output below:

1st (adding stdout line):

[11:48:48] Starting 'trust-dev-cert'... [11:48:48] Starting gulp [11:48:48] Starting subtask 'trust-cert'... [11:48:48] [trust-cert] Attempting to trust a development certificate. This self-signed certificate only points to localhost and will be stored in your local user profile to be used by other instances of debug-certificate-manager. If you do not consent to trust this certificate, click "NO" in the dialog. [11:48:50] [trust-cert] Successfully trusted development certificate. [11:48:50] Finished subtask 'trust-cert' after 2.47 s [11:48:50] Finished 'trust-dev-cert' after 2.47 s [11:48:50] Error - [trust-cert] CertUtil Error: [11:48:50] Error - [trust-cert] CertUtil Error: root "Trusted Root Certification Authorities" CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND) CertUtil: Object was not found.

[11:48:51] ==================[ Finished ]================== Error - [trust-cert] CertUtil Error: Error - [trust-cert] CertUtil Error: root "Trusted Root Certification Authorities" CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND) CertUtil: Object was not found. [11:48:51] Suppressing - Warning - [sass] The local CSS class 'ms-Grid' is not camelCase and will not be type-safe. [11:48:51] Project hw-web-part-1 version:0.0.1 [11:48:51] Build tools version:3.17.20 [11:48:51] Node version:v16.13.0 [11:48:51] Total duration:5.56 s [11:48:51] Task errors:2

2nd: 1 - Update to warning, adding await, 1st run

[12:27:00] Starting 'trust-dev-cert'... [12:27:00] Starting gulp [12:27:00] Starting subtask 'trust-cert'... [12:27:00] [trust-cert] The development certificate was not found in the store. CertUtil error: [12:27:00] Warning - [trust-cert] The existing development certificate is not currently trusted by your system. Attempting to untrust the certificate and generate a new one. [12:27:01] [trust-cert] Successfully untrusted development certificate. [12:27:01] [trust-cert] Attempting to trust a development certificate. This self-signed certificate only points to localhost and will be stored in your local user profile to be used by other instances of debug-certificate-manager. If you do not consent to trust this certificate, click "NO" in the dialog. [12:27:03] [trust-cert] Successfully trusted development certificate. [12:27:03] Warning - [trust-cert] CertUtil Error: [12:27:03] Warning - [trust-cert] CertUtil Error: root "Trusted Root Certification Authorities" CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND) CertUtil: Object was not found.

[12:27:03] Warning - [trust-cert] Unable to set the certificate's friendly name. [12:27:03] Finished subtask 'trust-cert' after 2.55 s [12:27:03] Finished 'trust-dev-cert' after 2.55 s [12:27:03] ==================[ Finished ]================== Warning - [trust-cert] The existing development certificate is not currently trusted by your system. Attempting to untrust the certificate and generate a new one. Warning - [trust-cert] CertUtil Error: Warning - [trust-cert] CertUtil Error: root "Trusted Root Certification Authorities" CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND) CertUtil: Object was not found.

Warning - [trust-cert] Unable to set the certificate's friendly name. [12:27:04] Suppressing - Warning - [sass] The local CSS class 'ms-Grid' is not camelCase and will not be type-safe. [12:27:04] Project hw-web-part-1 version:0.0.1 [12:27:04] Build tools version:3.17.20 [12:27:04] Node version:v16.13.0 [12:27:04] Total duration:5.68 s [12:27:04] Task warnings:4

2nd: 2 - Update to warning, adding await, 2nd run

[12:29:41] Starting 'trust-dev-cert'... [12:29:41] Starting gulp [12:29:41] Starting subtask 'trust-cert'... [12:29:41] [trust-cert] The development certificate was not found in the store. CertUtil error: [12:29:41] Warning - [trust-cert] The existing development certificate is not currently trusted by your system. Attempting to untrust the certificate and generate a new one. [12:29:41] [trust-cert] Successfully untrusted development certificate. [12:29:41] [trust-cert] Attempting to trust a development certificate. This self-signed certificate only points to localhost and will be stored in your local user profile to be used by other instances of debug-certificate-manager. If you do not consent to trust this certificate, click "NO" in the dialog. [12:29:43] [trust-cert] Successfully trusted development certificate. [12:29:43] Warning - [trust-cert] CertUtil Error: [12:29:43] Warning - [trust-cert] CertUtil Error: root "Trusted Root Certification Authorities" CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND) CertUtil: Object was not found.

[12:29:43] Warning - [trust-cert] Unable to set the certificate's friendly name. [12:29:43] Finished subtask 'trust-cert' after 2.54 s [12:29:43] Finished 'trust-dev-cert' after 2.54 s [12:29:44] ==================[ Finished ]================== Warning - [trust-cert] The existing development certificate is not currently trusted by your system. Attempting to untrust the certificate and generate a new one. Warning - [trust-cert] CertUtil Error: Warning - [trust-cert] CertUtil Error: root "Trusted Root Certification Authorities" CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND) CertUtil: Object was not found.

Warning - [trust-cert] Unable to set the certificate's friendly name. [12:29:44] Suppressing - Warning - [sass] The local CSS class 'ms-Grid' is not camelCase and will not be type-safe. [12:29:44] Project hw-web-part-1 version:0.0.1 [12:29:44] Build tools version:3.17.20 [12:29:44] Node version:v16.13.0 [12:29:44] Total duration:5.7 s [12:29:44] Task warnings:4

I didn't get the one like in your screenshot and didn't notice any change between the 1st and the 2nd runs.

3rd - running gulp serve

Build target: DEBUG [12:38:16] Using gulpfile C:\SPFX\HWWebPart1\gulpfile.js [12:38:16] Starting 'serve'... [12:38:16] Starting gulp [12:38:16] Starting subtask 'spfx-serve'... [12:38:16] [spfx-serve] To load your scripts, use this query string: ?debug=true&noredir=true&debugManifestsFile=https://localhost:4321/temp/manifests.js [12:38:17] Error - 'spfx-serve' sub task errored after 343 ms The existing development certificate is not currently trusted by your system. Untrust the certificate and generate a new one, or set the canGenerateNewCertificate parameter to true when calling ensureCertificateAsync. [12:38:17] 'serve' errored after 349 ms [12:38:17] About to exit with code: 1 Process terminated before summary could be written, possible error in async code not continuing! Trying to exit with exit code 1

My local CertificateManager.js updated snippet:

Hope the verbose error messages can help. Thank you.

[nick-pape]

Interesting, so the deeper cause here is that the certificate that is trying to be updated with a friendly name isn't being found. That means there must be a hidden error occurring when trying to install the certificate.

[WymerDev]

@nick-pape Checking to see if this issue is indeed a bug and is awaiting resolution? Meanwhile are there any another/older working versions so I can work on SPFX development? Thank you.

[AkshayKishorChauhan]

@WymerDev Please try adding "C:\Windows\System32" in your environment variables and then should work.

[WymerDev]

@AkshayKishorChauhan I see that it's already there in the Env. variables, under system.. Thank you.

[poojakadam19]

I tried this but still get this error : please help me [01:08:08] Error - 'spfx-serve' sub task errored after 220 ms No development certificate found. Generate a new certificate manually, or set the canGenerateNewCertificate parameter to true when calling ensureCertificateAsync. [01:08:08] 'serve' errored after 226 ms

[nick-pape]

@iclanton @AkshayKishorChauhan were you able to make any further progress on this? Definitely seems like a tooling issue.

[Haiqi-Wu]

@nick-pape What is the version of @rushstack/debug-certificate-manager you are using in your solution? Can we use an older version to avoid this issue? Waiting is always agonizing.

[tayram]

Was there ever a resolution to this? I am running into this error in 2024.

2 noteworthy things have changed, for me personally...

1. Our company is now using ThreatLocker on all machines
2. I recently got a new laptop, and had to reinstall the dev toolchain, within ThreatLocker.

ThreatLocker has made it a pain the butt to get to the point I am now... but after resolving an array of issues, I think this is the only hurdle I have left.

[hillal20]

I am still seeing the same error in 03/24/2025

and after i did the solution above i found :

[hillal20]

[juliemturner]

I'm also getting this error after having set up a new developer machine on Windows 11. Definitely something fishy going on.

[nick-pape]

Hi folks, based on the error above it seems like the current user may lack permissions to install the certificate to the trusted root authorities list. There's 2 things we can check here:

Manually install the certificate

1. Run gulp trust-dev-cert
2. Before clicking "Yes" to install the certificate, navigate to node_modules\@rushstack\debug-certificate-manager\temp and copy the .pem file somewhere.

4. Open certmgr.msc
5. Open Trusted Root Certification Authorities” in the left panel
6. Right-click on “Certificates” under the “Trusted Root Certification Authorities” and choose “All Tasks,” then “Import.”
7. Import the PEM certificate you copied earlier.

Check group policy

If the above fails, it seems like there may be a group policy setting that prevents user-installed certificates in the root certificate authority. Try following this and see if the setting group policy is perhaps missing or configured differently: https://serverfault.com/questions/1008035/unable-to-import-certificate-into-user-trusted-root-certificate-store

[juliemturner]

@nick-pape I don't think this addresses the original issue of this thread, which is what I was seeing, which is that it cannot find the CertUtil file. For my situation I was able to finally solve it by a, making sure I had ran the yoman generator for an spfx project and was in that root folder, and then even though my environment variable path said that c:\windows\system32 was there, I needed to manually add it to the console I was using... in my case PowerShell but you can also do it for command prompt

PowerShell:

$env:Path += ";C:\windows\system32\"

Cmd:

SET PATH=%PATH%;C:\windows\system32\"

Then when I ran trust-dev-cert it was able to find certutil and everything registered correctly.

[Ashlesha-MSFT]

@WymerDev, Just following up on the issue.

Have you been able to resolve the problem?

[hillal20]

I think I did , I just forget to enter that terminal instance as an admin.

But to be honest , it was brutal to debug the issue if someone new and he doesn't know how node js works. I had to comment out tones of code to get it working until I found an alternative solution.

It was a stupid mistake.

On Wed, Jul 16, 2025, 8:49 AM Ashlesha-MSFT @.***> wrote:

Ashlesha-MSFT left a comment (SharePoint/sp-dev-docs#9201) https://github.com/SharePoint/sp-dev-docs/issues/9201#issuecomment-3078436803

@WymerDev https://github.com/WymerDev, Just following up on the issue.

Have you been able to resolve the problem?

— Reply to this email directly, view it on GitHub https://github.com/SharePoint/sp-dev-docs/issues/9201#issuecomment-3078436803, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGJATKRJE67T7QC4NKNSW2L3IZC5VAVCNFSM6AAAAABRXAO7NCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTANZYGQZTMOBQGM . You are receiving this because you commented.Message ID: @.***>

[tivanchuk-hawe]

just want to add my solution for the one of possible reasons causing such an issue:

gulp trust-dev-cert --verbose

=>

Build target: DEBUG
Found config file: sass.json
Found config file: serve.json
Found config file: deploy-azure-storage.json
Found config file: package-solution.json
[15:18:28] Using gulpfile My_PATH\gulpfile.js
[15:18:28] Starting 'trust-dev-cert'...
[15:18:28] Starting gulp
[15:18:28] Starting subtask 'trust-cert'...
[15:18:28] [trust-cert] Attempting to trust a development certificate. This self-signed certificate only points to localhost and will be stored in your local user profile to be used by other instances of debug-certificate-manager. If you do not consent to trust this certificate, click "NO" in the dialog.
[15:18:28] Error - [trust-cert] Error: root "Trusted Root Certification Authorities"
,Signature matches Public Key
,CertUtil: -addstore command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
,CertUtil: Access is denied.

[15:18:28] Error - [trust-cert] Certificate trust failed with an unknown error.
[15:18:28] Error - 'trust-cert' sub task errored after 605 ms
 Error: Error trusting development certificate.
    at TrustCertTask.executeTask (My_PATH\node_modules\@microsoft\gulp-core-build-serve\lib\TrustCertTask.js:26:19)
[15:18:28] 'trust-dev-cert' errored after 612 ms
[15:18:28] Error: Error trusting development certificate.
    at TrustCertTask.executeTask (My_PATH\node_modules\@microsoft\gulp-core-build-serve\lib\TrustCertTask.js:26:19)
About to exit with code: 1
Process terminated before summary could be written, possible error in async code not continuing!
Trying to exit with exit code 1

eventually what helped:

for HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots key give at least read rights for MachineName\Administrators, found here

[Ashlesha-MSFT]

If the issue is resolved, Can we go ahead and close the issue?