Certificate not found when deploying IdentityServer 4 to Azure VM
I found the solution here:
Apparently, I need to enable the Load User Profile on the Application Pool. However, the error now changes to this:
crit: IdentityServer4.Hosting.IdentityServerMiddleware[0] Unhandled exception: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions) at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider) at Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng) at Internal.Cryptography.Pal.CertificatePal.GetRSAPrivateKey()
Looking at the issue now.
Okay, so the issue is permission to read the cert. All we have to do just go to the certificate and grant Read (only) for IIS_IUSRS.
Now it works.
If anyone is wondering how to give IIS users access to certs
- Create / Purchase certificate. Make sure it has a private key.
- Import the certificate into the "Local Computer" account. Best to use Certificates MMC. Make sure to check "Allow private key to be exported"
Based upon which, IIS 7.5 Application Pool's identity use one of the following.
- IIS 7.5 Website is running under ApplicationPoolIdentity. Open MMC => Add Certificates (Local computer) snap-in => Certificates (Local Computer) => Personal => Certificates => Right click the certificate of interest => All tasks => Manage private key => Add
IIS AppPool\AppPoolName
and grant itFull control
. Replace "AppPoolName" with the name of your application pool (sometimesIIS_IUSRS
) - IIS 7.5 Website is running under NETWORK SERVICE. Using Certificates MMC, added "NETWORK SERVICE" to Full Trust on certificate in "Local Computer\Personal".
- IIS 7.5 Website is running under "MyIISUser" local computer user account. Using Certificates MMC, added "MyIISUser" (a new local computer user account) to Full Trust on certificate in "Local Computer\Personal".
- IIS 7.5 Website is running under ApplicationPoolIdentity. Open MMC => Add Certificates (Local computer) snap-in => Certificates (Local Computer) => Personal => Certificates => Right click the certificate of interest => All tasks => Manage private key => Add
The above is extracted from here.