ID2057: Cannot construct a X509SigningCredentials instance for a certificate without the private key.

ID2057: Cannot construct a X509SigningCredentials instance for a certificate without the private key.
Parameter name: token

Disclaimer: I don’t completely understand the cause of this problem, but I can talk about what I did to resolve it and speculate on why it worked. If you read this and you can set me straight on this information, I would love to update this article with more-accurate information. Thanks in advance.

This one happened when I picked the wrong kind of server certificate. I’m not completely clear on the criteria for “the right kind of certificate”. However, I did get this error whenever I picked a server certificate with an “Intended Purpose” (on the MMC, Certificate > Personal > Certificates list: column 4) that had more-than one purpose.

Solution: The certificates that worked best were the ones with Intended Purpose of “Server Authentication”. (and nothing else). Better still, a self-signed certificate always worked. Of course, I had to export the certificate and install it on both/all load-balanced servers.

Now I know what you are thinking: normally, a self-signed certificate will raise some security concerns because the “provider” is weak. This is very true when you use them for SSL. However, this cert is only used for signing X509 certificates (internally). There is no three-part mechanism, and no need to check the validity of the cert or issuer. Plus, the Identity Server is only reachable via SSL (from a strong vendor). So we are already protected from many of the different kinds of attacks that can happen on token exchanges. Also, I will get a much-better key for the production server. This only has to work until the sys-admin buys the right key and installs it.

Follow-up: I did find that you need a private key, and for some reason, it is pretty hard to determine if your key has a “private key”.  Here is a quick way to find out:

In this image, the yellow arrow is pointing to the menu option “Manage Private Keys…”. This menu option will only show up if you have a “private key” and not just a public key.  If this menu is missing (right-click), then no private key, and you get the x509 error.


About Tim Golisch

I'm a geek. I do geeky things.
This entry was posted in Errors, Lessons Learned and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s