EF Core 7 SQL Server Certificate Trust Exception

Problem Statement

When upgrading to Entity Framework Core 7, developers frequently encounter a certificate verification error during SQL Server connections, especially in development environments. The error message you'll see is:

A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)

This issue occurs even when:

• Working with SQL Server Developer Edition on a local machine
• Attempting to disable encryption in Visual Studio Server Explorer
• Not having a specific certificate installed

The problem stems from a security improvement in EF Core 7 that changes the default encryption behavior for SQL Server connections.

Why this changed in EF Core 7

Prior to Entity Framework Core 7, the default encryption behavior was Encrypt=False. EF Core 7+ changes the default to Encrypt=True, requiring proper server certificate validation.

Causes of the Certificate Trust Exception

• Default encryption is now enabled with Encrypt=True in EF Core 7+
• Development SQL Server instances typically use self-signed certificates not trusted by client machines
• The client cannot verify the certificate chain when encryption is enabled
• Trust settings don't automatically apply to programmatic connections via EF Core

Recommended Solutions

Optimal Development Solution: TrustServerCertificate=True

Add TrustServerCertificate=True to your connection string to bypass certificate validation while maintaining encryption. This preserves security while solving the trust issue in development.

In JSON Configuration (appsettings.json)

{
  "ConnectionStrings": {
    "DefaultConnection": "Server=(localdb)\\mssqllocaldb;Database=YourDb;Trusted_Connection=True;TrustServerCertificate=True;"
  }
}

In DbContext Configuration

protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
{
    optionsBuilder.UseSqlServer(
        "Server=your_server;Database=your_db;Trusted_Connection=True;TrustServerCertificate=True;"
    );
}

Alternative Solution: Disable Encryption

Use Encrypt=False to revert to pre-EF Core 7 behavior. Only recommended for local development if TrustServerCertificate=True somehow fails.

{
  "ConnectionStrings": {
    "DefaultConnection": "Server=(localdb)\\mssqllocaldb;Database=YourDb;Trusted_Connection=True;Encrypt=False;"
  }
}

Avoid This in Production

Always use properly validated certificates for production environments. Neither TrustServerCertificate nor Encrypt=False should be used in production.

Detailed Explanation of Solutions

Connection String Approach

// appsettings.json modification:
{
  "ConnectionStrings": {
    "SqlServer": "Data Source=localhost;Initial Catalog=YourDB;Integrated Security=True;TrustServerCertificate=True"
  }
}

DbContext Approach

// DbContext configuration:
services.AddDbContext<AppDbContext>(options => 
    options.UseSqlServer(
        Configuration.GetConnectionString("SqlServer"),
        sqlOptions => sqlOptions.EnableRetryOnFailure()
    )
);

Why These Solutions Work

Setting	Security Level	Description
TrustServerCertificate=True	⚠️ Medium	Maintains encryption but skips certificate chain validation
Encrypt=False	🔴 Low	Disables encryption entirely - no protection
Valid certificate	✅ High (Recommended)	Proper certificate from trusted authority

TrustServerCertificate=True:

• Maintains encrypted connections between client and server
• Bypasses the certificate trust chain validation
• Allows development without installing new certificates
• Equivalent to TrustServerCertificate=Yes syntax

Differences Between True/Yes

TrustServerCertificate=True and TrustServerCertificate=Yes are functionally identical in connection strings. Both formats are accepted by SQL Server clients.

Production Environment Considerations

1. Never deploy development solutions (TrustServerCertificate=True or Encrypt=False) to production
2. Install a valid certificate from a trusted certificate authority
3. Ensure the SQL Server instance uses this certificate
4. Validate clients trust the issuing certificate authority
5. Maintain regular certificate rotation schedules

Common Mistakes to Avoid

1. Adding spaces in TrustServerCertificate=False instead of TrustServerCertificate=false
2. Applying development solutions to production environments
3. Switching back to EF Core 6 (temporary workaround, not a solution)
4. Setting Encrypt=False when TrustServerCertificate=True would maintain better security

Technical Background: EF Core 7 Changes

The breaking security change was implemented to comply with modern encryption standards:

This change ensures encrypted connections by default, improving security but requiring additional configuration for development setups.

Summary

To resolve the Entity Framework Core 7 certificate trust exception:

1. Add TrustServerCertificate=True to your connection string as the primary solution
2. Use Encrypt=False only as a temporary fallback for development
3. Never apply development solutions to production
4. Always implement properly validated certificates for production environments

These changes maintain development productivity while preserving the enhanced default security posture introduced in EF Core 7.