Apart from the prerequisites listed here for Orchestrator installation, Identity Server needs the following:

Certificates

Identity Server requires 2 valid certificates:

• A certificate for the HTTPS protocol.
• A certificate used to sign the tokens generated by the Identity Server.

🚧

Important!

For security reasons, the certificate used by the Identity Server needs to:
have a public key on 2048 bits
have a private key accessible by the AppPool user,
be in its validity period (not expired).

The certificate's location is set in Identity Server's configuration file appsettings.Production.json, in the Signing Credential section.

If a self-signed certificate is used, this must also be placed in the Trusted Root Certification Authority certificate store (besides the usual Personal location).

The certificate is used for signing OpenID access tokens that are used for user identification via browser and for service-to-service communication between Orchestrator and Identity Server. Click here for more details about OpenID Connect.