From a2effc56e0fd1196225598bfdcd70edf3c507f3a Mon Sep 17 00:00:00 2001
From: huysentruitw <wouter_huysentruit@hotmail.com>
Date: Sat, 4 May 2019 17:14:00 +0200
Subject: [PATCH] Ensure the selected certificate has an accessible private key
 #9915 (#9965)

---
 src/Servers/Kestrel/Core/src/CertificateLoader.cs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/Servers/Kestrel/Core/src/CertificateLoader.cs b/src/Servers/Kestrel/Core/src/CertificateLoader.cs
index 424dfb25ec..f5c868d654 100644
--- a/src/Servers/Kestrel/Core/src/CertificateLoader.cs
+++ b/src/Servers/Kestrel/Core/src/CertificateLoader.cs
@@ -29,6 +29,7 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Https.Internal
                     foundCertificate = foundCertificates
                         .OfType<X509Certificate2>()
                         .Where(IsCertificateAllowedForServerAuth)
+                        .Where(DoesCertificateHaveAnAccessiblePrivateKey)
                         .OrderByDescending(certificate => certificate.NotAfter)
                         .FirstOrDefault();
 
@@ -80,6 +81,9 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Https.Internal
             return !hasEkuExtension;
         }
 
+        internal static bool DoesCertificateHaveAnAccessiblePrivateKey(X509Certificate2 certificate)
+            => certificate.HasPrivateKey;
+
         private static void DisposeCertificates(X509Certificate2Collection certificates, X509Certificate2 except)
         {
             if (certificates != null)