OpenIddict error with AddSigningCertificate

Question

I am trying to signin certificate (OpenIddict), but I get error when trying with thumbprint:

options.AddSigningCertificate(Configuration["Certificate"]/* db b9 12 .... 22 */);

and the error:

Application startup exception: System.Security.Cryptography.CryptographicException: OpenCSP failed with error code 2148073494.

in this line:

app.UseOpenIddict();

If I tried with X509Certificate2 I also get error:

var cert = new X509Certificate2(Configuration["Certificate"]/*path to file.cer*/);
options.AddSigningCertificate(cert);

and the error:

System.InvalidOperationException: The certificate doesn't contain the required private key.

in same line app.UseOpenIddict();.

I am using the same certificate that I am using for https protocol. Is this OK? My active tokens are randomly gone (and I get invalid_token when trying to refresh the token). I find somewhere that this happens if AddEphemeralSigningKey is used, because when connection is dropped (because of IIS idle timeout), all tokens are lost. Because of that I am trying to use AddSigningCertificate.

Is there another way? Can someone tell me, what is wrong with certificate? Thank you.

I am using ASP.NET Core 1.1.1.
I add read rights to IIS user for .cer file.

Answer 1

I solved my problem with new certificate created with SelfCert (https://s3.amazonaws.com/pluralsight-free/keith-brown/samples/SelfCert.zip).
I then added certificate to project source and call AddSigningCertificate:

            if (this.env.IsDevelopment())
                options.AddEphemeralSigningKey();      
            else
                options.AddSigningCertificate(new FileStream(Directory.GetCurrentDirectory() + "/Resources/cert.pfx", FileMode.Open), "pass");

I also had to add full rights to file for IIS user. Read and execute right was not enough.

And that's it. It works.