diff --git a/src/Servers/Kestrel/Core/src/CertificateLoader.cs b/src/Servers/Kestrel/Core/src/CertificateLoader.cs
index 424dfb25ec..f5c868d654 100644
--- a/src/Servers/Kestrel/Core/src/CertificateLoader.cs
+++ b/src/Servers/Kestrel/Core/src/CertificateLoader.cs
@@ -29,6 +29,7 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Https.Internal
                     foundCertificate = foundCertificates
                         .OfType<X509Certificate2>()
                         .Where(IsCertificateAllowedForServerAuth)
+                        .Where(DoesCertificateHaveAnAccessiblePrivateKey)
                         .OrderByDescending(certificate => certificate.NotAfter)
                         .FirstOrDefault();
 
@@ -80,6 +81,9 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Https.Internal
             return !hasEkuExtension;
         }
 
+        internal static bool DoesCertificateHaveAnAccessiblePrivateKey(X509Certificate2 certificate)
+            => certificate.HasPrivateKey;
+
         private static void DisposeCertificates(X509Certificate2Collection certificates, X509Certificate2 except)
         {
             if (certificates != null)