HTTPS with Kestrel running as service account

Am I missing a step somewhere with the default MSI install and running as a non-administrator service account? HTTPS setup is a bear in this configuration, you have to hunt down and give the service account access to the certificate if it’s in the local computer store (as most certs are in Windows by default). Does anyone have a cleaner way to do this short of granting the service account console local login rights and having the cert issued to its personal store? I wound up just exporting my cert to a PFX and using it that way, but that means you’re stuck having a password in plain text.

@alexk Yep. As you mentioned, you can also reference the cert files directly. You don’t have to have the cert in a single PFX file with the private key password listed anywhere, though; you can also have the cert be in separate files (the cert and key being in separate files).

For example:

  "Kestrel": {
    "Endpoints": {
        "HttpsFromPem": {
        "Url": "https://*:443",
        "Certificate": {
          "Path": "C:\\Certs\\cert.pem",
          "KeyPath": "C:\\Certs\\key.pem",
          "AllowInvalid": "true"
    "RedirectToHttps": "true"

Note the different name for the endpoint in this configuration, too - it’s HttpsFromPem and not HTTPS.
If you’re interested in doing it this way, just export the parts of the PFX into separate files (the cert into one file and the private key into a separate file), drop them into a folder the user account has read access to, and edit the paths into the appsettings.json file located at (by default) C:\ProgramData\PowerShellUniversal\appsettings.json

You can read more about the different methods supported and how to configure each at the PowerShell Universal Hosting page.