Set multiple Website App Pools in IIS 7.5 to use different Signing Certificates

Question

I have set up three (Dev, Test and Prod) Thinktecture IdentityServers (IdSrv) in IIS. I am using these as an IdP for ADFS 2.0. I have it working correctly for one IdSrv but I am having difficulties adding the other two. The problem is that ADFS wants each IdSrv to use a different signing certificate but I do not seem to be able to do this. I have made three self signed certs and using MMC>Manage Private Keys I have assigned permissions to each IDSrv App Pool to each Certificate. However when I try to go to the Metadata page I get a "Keyset does not exist" error. It appears that only one Certificate is being assigned the others are ignored. I tried assigning a different IP address to each IdSrv but that did not help.

Has anyone done this? Is this possible? or will each IdSrv need to be on its own server? I really do not like that solution for many reasons.

Any help would be greatly appreciated!!

Answer 1

IdSrv stores the signing cert reference in its config DB. So yes - to use three different certs, you need three different instances.