I have been running a dev and test Service Fabric cluster using self signed ssl certificates under http.sys listener type with no issues. Now that I am preparing to go to production I created a real SSL cert from DigiCert as a wildcard cert with a number of Subject Alternative Names. However, when trying to bring this up when running locally to verify the configuration, it fails and the diagnostic information reports
"Cannot find the certificate and private key to use for decryption".
Issuing a:
netsh http show sslcert
shows that it is properly registering the cert
IP:port : 0.0.0.0:8113
Certificate Hash : 9e324673476570cc51a8dff7789f6cf8436cec38
Application ID : {c5f2a686-3b30-4490-b86e-cb88b15fd92b}
Certificate Store Name : My
Verify Client Certificate Revocation : Disabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Disable HTTP2 : Not Set
Disable QUIC : Not Set
Disable TLS1.3 : Not Set
Disable OCSP Stapling : Not Set
with the thumbprint I am telling it to use(9e324673476570cc51a8dff7789f6cf8436cec38) in the EndpointCertificate element in ApplicationManifest.xml. The cert is valid with valid keys. the only difference between this cert and the self signed dev/test one is the Subject and Subject Alternative Name attribute. The dev/test one has a dummy domain like dev.sample.com but the real one is *.myrealdomain.com.
Any idea why it throws this error when clearly a valid cert by that thumbprint exists and is getting registered with netsh properly?
In addition, this same cert is used as the cluster certificate placed in Azure Key Vault and works fine there and is used for another domain under an app service without issue.
