I'm aware that a self-signed certificate is not a good idea to encrypt SSL traffic between a server and a browser. But does it matter in the context of IdentityServer4?
And where is the difference between that and AddValidationKey() which seems easier to me?
By all means, I'm not a security expert and unfortunately nobody in my team, so we are a bit confused here and I would like to avoid opening up a big security hole. At the same time, I don't want to complicate something that is not necessary.
First of all, when dealing with IdentityServer you have several keys/certificates to deal with.
You have the certificate for the SSL/TLS(HTTPS) traffic, and this one should not be self-signed.
You have AddValidationKey/AddSigningCredentials that both deals with the signing of the tokens. This needs a separate public/private key. This can be done using a self-signed certificate. See this article
You have also the Data Protection API to deal with, this is responsible for encrypting the session cookies issued. To avoid issues during redeploy, you should make sure the signing key (keyring) is persisted during redeploy.
Hope this is a starting point :-)