IdentityServer4 not working in production

If you want to use *.pfx

"Key": {  "Type": "File",  "FilePath": "certificate.pfx",  "Password": "password:!"}

And read this thread if you have this error WindowsCryptographicException: Keyset does not exist

internal.cryptography.cryptothrowhelper+windowscryptographicexception keyset does not exist

So I was able to solve my issues using this piece of documentation: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity-api-authorization?view=aspnetcore-3.0#example-deploy-to-azure-websites

I had to enable "Copy if newer" to the appsettings.json properties so that it would get copied to the build folder.

I also added the following to the appsettings.json file:

"IdentityServer": {"Clients": {  "Client": {    "Profile": "IdentityServerSPA"  }},"Key": {  "Type": "Store",  "StoreName": "My",  "StoreLocation": "LocalMachine",  "Name": "CN=SigningCertificate"}}

Now the Key.Type is specified, which means that we can now just add the following to the startup.cs:

// Configure IdentityServer4var identityBuilder = services.AddIdentityServer();identityBuilder.AddApiAuthorization<ApplicationUser, ApplicationDbContext>();if (!Environment.IsDevelopment())     identityBuilder.AddSigningCredentials();

I still do not understand why other people are not experiencing this issue, since I am not able to find any other threads on this issue and the regular way seems to work for everyone else. The only downside to this is that I need to install the certificate on the machine now instead of getting it as file.

Here is how I solved it in Docker for Blazor WebAssembly. My answer is mostly based on this thread. Keep in mind that, although it works, it may not be production-ready, nor safe. I know little about IdentityServer.

appsettings.json:

"IdentityServer": {    //[...]    "Key": {      "Type": "File",      "FilePath": "/path_to_certificate_here/server.pfx",      "Password": "password_specified_later"    }  }

FilePath is where you physically placed your certificate (generated in next step of this answer). Password is being configured while generating certificate.

Generating certificate:

Source. This might not be production-ready either.

$ openssl genrsa 2048 > server_private.pem$ openssl req -x509 -days 1000 -new -key server_private.pem -out server_public.pem$ openssl pkcs12 -export -in server_public.pem -inkey server_private.pem -out server.pfx

Keep in mind that certificate will expire (-days attribute in 2nd command).

Working with Docker

There are some answers advising to include certificate in build folder or keep it with project source code. I personally don't think it's a good idea. I'm generating certificates manually on my server in separated folder, then I'm creating Docker volume pointing to folder where I placed them.