I have IdentityServer3 that is running in Windows 2019 + IIS. The application pool is configured to run under "dev@internal" user account. This is a domain user account.
I created a signing certificate using the following command:
New-SelfSignedCertificate -CertStoreLocation "Cert:\LocalMachine\My" -Subject "IdentityServerDevTokenSign" -NotBefore (Get-Date) -NotAfter (Get-Date).AddYears(35) -HashAlgorithm "sha256" -KeySpec Signature -KeyLength 2048 -FriendlyName "IdentityServerDevTokenSign"
By default, when the certificate is created, the "Administrators" group has full and read access to the certificate. I added the "dev@internal" domain user to the "Administrators" group. However, when the application starts, I see the error:
Signing certificate has no private key, or the private key is not accessible. Make sure the account running your application has access to the private key.
Then, I removed "dev@internal" from the Administrators group and directly configured the user on the certificate with "read" access only, and now the application is working.
To configure the user directly on the certificate
Goto Manage Computer Certificate -> Personal -> Certificates -> Select the Certificate -> Right Click -> All Tasks -> Manage Private Keys
I am curious to know why the first approach, which involved adding the user to the "Administrators" group, did not work.