I'm trying to setup SSO using OWin and Thinktecture Identity Server but I am not having any luck getting the SSL certificate to work. At least I think that's the problem. All works fine when I'm in visual studio, but if I try to use IIS on my machine it gives me the error "The remote certificate is invalid according to the validation procedure". I've also tried using IIS as the client treat the instance running in visual studio as the token authority but I still get the same error. Anyone have any ideas on what I'm doing wrong?

In my case I was just trying to work through the samples (for ID3v2) and getting the cert errors running locally. Since some samples even do self hosting via owin I'm not even sure where it's getting the certs for host side??

Anyway my fix was to copy the cert to the Trusted Root:

1. Windows => Start => run MMC.EXE
2. File=> "Add/Remove Snap-In..." => Certificates
3. Add >
4. Use Computer Account => Local computer => Finish
5. Ok
6. Go under Personal / Certificates
7. Right click "localhost", Select Copy
8. Paste to "Trusted Root Certificate Authorities"
9. Reboot to take effect

Done. Enjoy.

After spending a lot of time for me the solution was pretty simple

I just opened the Certmgr.msc ---> deleted the localhost certificate from the Trusted Root certification authorities.

Then opened my solution (after I had run the identity sever) clicked run the visual studio asked fro me if I want generate new certificate to iis express (ssl), I had clicked yes and then it started to work properly:)

That can be caused by bad configuration on a previous certifications (sometimes can happen when you disagree to install a certification) :

1. Windows Start and open Certmgr.msc
2. Under Personnel/Certificats, find all localhost certificats and delete them
3. Same thing to do under Trusted Root Certification, and then close.
4. Start your application, you will get an exception.
5. Open the Package Manager Console and excute: dotnet dev-certs https --trust
6. Restart your application, normally you have a valid certificat now.

You need to add whatever certificate IIS is using to your Trusted Root Certification Authorities store on your local computer.

Some times it doesn't work though the above settings were done and you have given the URL as "https://localhost", instead give the URL as "https://MachineName". i.e machine name should match certificate's "issue to" value

Adding certificate to Trusted People store should be enough according to readme file in examples provided by the authors.

In a production scenario it should be better because Root store is for CAs and when you add something there that authority is not only trusted, but any certificate signed by it is automatically trusted.

You can check this an further details from the microsoft reference. An extract of the 2 store short description:
Root: Certificate store for trusted root certification authorities (CAs).
TrustedPeople: Certificate store for directly trusted people and resources.

P.S: I tested it an it works. In my scenario I have IS on machine A and a set of web applications using IS on machine A and B. IIS certificate on machine B is different from the one used in A and by IS, but I just added it on machine B Trusted People store and the "certificate error" disappeard.

For .Net Core change TrustServerCertificate=False to TrustServerCertificate=True and that will solve your problem like I have it below.

"DataConnect": "Server=tcp:127.0.0.1,1433;Initial Catalog=dbName;Persist Security Info=False;User ID=username;Password=password;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=True;Connection Timeout=30;"