Initially we had the Sitecore Identity server IIS site running using a Self-Signed certificate and I adjusted it to be using CA signed SSL certificate.
That was done by importing that certs .pfx file into Trusted Root Certificate section of the Local Computer cert store, using MMC.
Then adjusted the Sitecore Identity server settings and Sitecore instance setting to match that certificate location & its certificate key. Also adjusted IIS site instance to use this newly imported certificate.
Once the above is done, we started to face issues with Sitecore logins. We were not able to get the Sitecore login working with Identity Server instance returning 500 error message.
[FTL] (Sitecore STS/auenws-sccm-w01) Unhandled exception: "Keyset does not exist"
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist
at Internal.NativeCrypto.CapiHelper.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeProvHandle()
at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeKeyHandle()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 keySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(CspParameters parameters)
at Internal.Cryptography.Pal.CertificatePal.<>c.<GetRSAPrivateKey>b__61_0(CspParameters csp)
at Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
at Internal.Cryptography.Pal.CertificatePal.GetRSAPrivateKey()
at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKey()
at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKeyStatus()
at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateEncodedSignature(String input, SigningCredentials signingCredentials)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token)
at IdentityServer4.Services.DefaultTokenCreationService.CreateJwtAsync(JwtSecurityToken jwt)
at IdentityServer4.Services.DefaultTokenCreationService.CreateTokenAsync(Token token)
at IdentityServer4.Services.DefaultTokenService.CreateSecurityTokenAsync(Token token)
at IdentityServer4.ResponseHandling.AuthorizeResponseGenerator.CreateImplicitFlowResponseAsync(ValidatedAuthorizeRequest request, String authorizationCode)
at ......
Then what I did was searching the internet for the above error message.
The solution that was provided by the to people was to set the permission on the imported certificate for the IIS app user account.
To achieve that, we need to be able to access the "All Tasks -> Manage Private Keys..." option for that certificate.
But that option was not available when the certificate is on the "Trusted Root Certification Authorities" OR "Intermediate Certification Authorities". But that option is only available for certificates on "Personal" certificate store.
So what I did was,
1) I moved our imported certificate from "Trusted Root Certification Authories" store to "Personal" store.
2) Then set the permission for "IIS_IUSRS" user for that certificate using "Manage Private Keys..." option.
3) Then moved back the certificate again to "Trusted Root Certification Authorities" store.
(info on https://stackoverflow.com/questions/12106011/system-security-cryptography-cryptographicexception-keyset-does-not-exist)
This solved the issues with the Sitecore login.
Happy Sitecore!!
