Hi,
im getting this error on published site today. i recreated authserver.pfx but still getting same error. checked for site certificate, is active.
to create authserver.pfx im using;
dotnet dev-certs https -v -ep authserver.pfx -p XXXX
"AuthServer": {
"Authority": "https://??????",
"RequireHttpsMetadata": true,
"CertificatePassPhrase": "XXXX"
},
what is wrong? couldnt understand the error.
To use key rollover, register both the new certificate and the old one in the credentials collection.
at OpenIddict.Server.OpenIddictServerConfiguration.PostConfigure(String name, OpenIddictServerOptions options)
at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
4 Answer(s)
-
0
- Solution The error is coming from OpenIddict: “When using X.509 encryption credentials, at least one of the registered certificates must be valid. To use key rollover, register both the new certificate and the old one in the credentials collection.” This happens when the AuthServer can’t load a valid signing/encryption key in production.
Do this checklist and fix:
Generate a proper OpenIddict certificate for production (not the site TLS cert)
- On the server (or locally and deploy the file), run: dotnet dev-certs https -v -ep openiddict.pfx -p 00000000-0000-0000-0000-000000000000
- Place openiddict.pfx next to the AuthServer executable (or a configured path).
- Make sure the password you set here is the same you configure in code.
Configure ABP OpenIddict to use the PFX in production
- In your AuthServer module:
public override void PreConfigureServices(ServiceConfigurationContext context) { var hostingEnvironment = context.Services.GetHostingEnvironment(); var configuration = context.Services.GetConfiguration(); if (!hostingEnvironment.IsDevelopment()) { PreConfigure<AbpOpenIddictAspNetCoreOptions>(options => { options.AddDevelopmentEncryptionAndSigningCertificate = false; }); PreConfigure<OpenIddictServerBuilder>(serverBuilder => { // If your pfx is in content root serverBuilder.AddProductionEncryptionAndSigningCertificate( "openiddict.pfx", "00000000-0000-0000-0000-000000000000" ); // Set the public HTTPS issuer serverBuilder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!)); }); } }- If running under IIS/Azure and you face key-access issues, pass key storage flags:
PreConfigure<OpenIddictServerBuilder>(serverBuilder => { var flags = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet; serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "00000000-0000-0000-0000-000000000000", flags); });Ensure the file is actually present on the server
- openiddict.pfx is usually ignored by git; copy it to the server during deployment or stop ignoring it.
- If the file is missing, OpenIddict will fail at startup with the exact error you see.
Keep Authority and metadata HTTPS-only
- appsettings:
"AuthServer": { "Authority": "https://your-authserver-host", "RequireHttpsMetadata": true, "CertificatePassPhrase": "00000000-0000-0000-0000-000000000000" }- Behind a reverse proxy, ensure the app sees HTTPS:
- Forward headers correctly (X-Forwarded-Proto).
- Or force scheme:
app.Use(async (ctx, next) => { ctx.Request.Scheme = "https"; await next(); });If you temporarily set RequireHttpsMetadata = false, discovery will emit http URLs and SPAs will reject them; keep it true and fix scheme/forwarding instead.About the “key rollover” message
- This appears when OpenIddict finds an expired/invalid encryption/signing certificate and no other valid certificate. You don’t need to “register old + new” unless you really want rollover; you just need at least one valid cert. Ensure the currently configured PFX is valid and loadable by the process.
IIS-specific tips
- If you still get access errors to the private key:
- Ensure the app pool identity can access the key, or
- Use MachineKeySet/EphemeralKeySet flags as shown above, or
- Import the certificate into the Local Machine store and load from there.
- If you still get access errors to the private key:
- Sources
- OpenIddict certificate configuration in ABP deployment:
- https://abp.io/docs/latest/solution-templates/layered-web-application/deployment/openiddict-deployment
- Community Q&A showing the same error and resolution (generate and deploy openiddict.pfx):
- https://abp.io/support/questions/9016
- Troubleshooting OpenIddict certificate loading in IIS/Azure (key storage flags, production cert usage):
- https://abp.io/docs/latest/solution-templates/layered-web-application/deployment/deployment-iis
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
hi
Can you check
AddProductionEncryptionAndSigningCertificatemethod in your module?The default key file name is
openiddict.pfxand the password is inappsettings.jsondotnet dev-certs https -v -ep openiddict.pfx -p 00000000-0000-0000-0000-00000000000000000000-0000-0000-0000 000000000000is your certificate password.Then you need to publish this PFX file to your production server.
Thanks.
-
0
hi
creating new certificate openiddict.pfx solved problem.
its not authserver.pfx in v9.0
thanks
-
0
Great
