I am trying to signin certificate (OpenIddict), but I get error when trying with thumbprint:

options.AddSigningCertificate(Configuration["Certificate"]/* db b9 12 .... 22 */);

and the error:

Application startup exception: System.Security.Cryptography.CryptographicException: OpenCSP failed with error code 2148073494.

in this line:

app.UseOpenIddict();

If I tried with X509Certificate2 I also get error:

var cert = new X509Certificate2(Configuration["Certificate"]/*path to file.cer*/);
options.AddSigningCertificate(cert);

and the error:

System.InvalidOperationException: The certificate doesn't contain the required private key.

in same line app.UseOpenIddict();.

I am using the same certificate that I am using for https protocol. Is this OK? My active tokens are randomly gone (and I get invalid_token when trying to refresh the token). I find somewhere that this happens if AddEphemeralSigningKey is used, because when connection is dropped (because of IIS idle timeout), all tokens are lost. Because of that I am trying to use AddSigningCertificate.

Is there another way? Can someone tell me, what is wrong with certificate? Thank you.

I am using ASP.NET Core 1.1.1.
I add read rights to IIS user for .cer file.

I solved my problem with new certificate created with SelfCert (https://s3.amazonaws.com/pluralsight-free/keith-brown/samples/SelfCert.zip).
I then added certificate to project source and call AddSigningCertificate:

            if (this.env.IsDevelopment())
                options.AddEphemeralSigningKey();      
            else
                options.AddSigningCertificate(new FileStream(Directory.GetCurrentDirectory() + "/Resources/cert.pfx", FileMode.Open), "pass");

I also had to add full rights to file for IIS user. Read and execute right was not enough.

And that's it. It works.

For use a cert in the machine personal store.

You must give permisions to the app pool of the site.

Go to machine certficate manager.

In the personal folder right click the certificate and select All Task>Manage private keys (not sure the options in english, my os is spanish)

In the security window add the app pool user, you can see it in the basic configuration of your site or aplication

IIS APPPOOL\here_your_app_pool_name

then can use it in the Startup with

 options.AddSigningCertificate("here cert thumbprint, look for it in cert info");