diff --git a/src/OpenIddict.Server/OpenIddict.Server.csproj b/src/OpenIddict.Server/OpenIddict.Server.csproj
index c2a63ab2..00f1c8e5 100644
--- a/src/OpenIddict.Server/OpenIddict.Server.csproj
+++ b/src/OpenIddict.Server/OpenIddict.Server.csproj
@@ -23,6 +23,7 @@
$(DefineConstants);SUPPORTS_CERTIFICATE_GENERATION
$(DefineConstants);SUPPORTS_DIRECT_KEY_CREATION_WITH_SPECIFIED_SIZE
$(DefineConstants);SUPPORTS_ECDSA
+ $(DefineConstants);SUPPORTS_EPHEMERAL_KEY_SETS
diff --git a/src/OpenIddict.Server/OpenIddictServerBuilder.cs b/src/OpenIddict.Server/OpenIddictServerBuilder.cs
index 3ef0d668..a67e35b4 100644
--- a/src/OpenIddict.Server/OpenIddictServerBuilder.cs
+++ b/src/OpenIddict.Server/OpenIddictServerBuilder.cs
@@ -411,7 +411,14 @@ namespace Microsoft.Extensions.DependencyInjection
/// The .
public OpenIddictServerBuilder AddEncryptionCertificate(
[NotNull] Assembly assembly, [NotNull] string resource, [NotNull] string password)
+#if SUPPORTS_EPHEMERAL_KEY_SETS
+ // Note: ephemeral key sets are currently not supported on macOS.
+ => AddEncryptionCertificate(assembly, resource, password, RuntimeInformation.IsOSPlatform(OSPlatform.OSX) ?
+ X509KeyStorageFlags.MachineKeySet :
+ X509KeyStorageFlags.EphemeralKeySet);
+#else
=> AddEncryptionCertificate(assembly, resource, password, X509KeyStorageFlags.MachineKeySet);
+#endif
///
/// Registers a retrieved from an
@@ -458,7 +465,14 @@ namespace Microsoft.Extensions.DependencyInjection
/// The password used to open the certificate.
/// The .
public OpenIddictServerBuilder AddEncryptionCertificate([NotNull] Stream stream, [NotNull] string password)
+#if SUPPORTS_EPHEMERAL_KEY_SETS
+ // Note: ephemeral key sets are currently not supported on macOS.
+ => AddEncryptionCertificate(stream, password, RuntimeInformation.IsOSPlatform(OSPlatform.OSX) ?
+ X509KeyStorageFlags.MachineKeySet :
+ X509KeyStorageFlags.EphemeralKeySet);
+#else
=> AddEncryptionCertificate(stream, password, X509KeyStorageFlags.MachineKeySet);
+#endif
///
/// Registers a extracted from a
@@ -856,7 +870,14 @@ namespace Microsoft.Extensions.DependencyInjection
/// The .
public OpenIddictServerBuilder AddSigningCertificate(
[NotNull] Assembly assembly, [NotNull] string resource, [NotNull] string password)
+#if SUPPORTS_EPHEMERAL_KEY_SETS
+ // Note: ephemeral key sets are currently not supported on macOS.
+ => AddSigningCertificate(assembly, resource, password, RuntimeInformation.IsOSPlatform(OSPlatform.OSX) ?
+ X509KeyStorageFlags.MachineKeySet :
+ X509KeyStorageFlags.EphemeralKeySet);
+#else
=> AddSigningCertificate(assembly, resource, password, X509KeyStorageFlags.MachineKeySet);
+#endif
///
/// Registers a retrieved from an
@@ -903,7 +924,14 @@ namespace Microsoft.Extensions.DependencyInjection
/// The password used to open the certificate.
/// The .
public OpenIddictServerBuilder AddSigningCertificate([NotNull] Stream stream, [NotNull] string password)
+#if SUPPORTS_EPHEMERAL_KEY_SETS
+ // Note: ephemeral key sets are currently not supported on macOS.
+ => AddSigningCertificate(stream, password, RuntimeInformation.IsOSPlatform(OSPlatform.OSX) ?
+ X509KeyStorageFlags.MachineKeySet :
+ X509KeyStorageFlags.EphemeralKeySet);
+#else
=> AddSigningCertificate(stream, password, X509KeyStorageFlags.MachineKeySet);
+#endif
///
/// Registers a extracted from a