WindowsCryptographicException: Keyset does not exist

Question

I want to create or obtain a certificate, create a pfx-file, load it and have IdentityServer use it. However, IdentityServer is not able to use my pfx.

How to successful

Answer 1

On IIS 10 I had to change my app pool identity to LocalSystem

Answer 2

I followed that blog post too and also had that issue. The problem was when you run this to create PKCS12 file:

openssl pkcs12 -export -out example.pfx -inkey example.key -in example.crt -certfile example.crt

Try to remove -certfile example.crt and it should work.

Also according to .NET Core X509Certificate2 usage (under Windows/IIS, Docker, Linux) you can test if certificate was loaded from file correctly by accessing cert.PrivateKey. E.g.

X509Certificate2 cert = new X509Certificate2(Path.Combine(Directory.GetCurrentDirectory(), "cert.pfx"), "password");
Console.WriteLine("cert private key: " + cert.PrivateKey);

Answer 3

The problem was resolved by adding IIS_IUSR group. From this link Add group IIS_IUSR:

The problem was that the Permissions for the Private Key of the Certificate in the Windows Certificate Store did not have the IIS_IUSRS group set to allow read access.

Right click certificate -> All Tasks -> Manage Private Keys -> Add group "IIS_IUSRS"