Fix: Validate SSL certificate private key access at server startup

**Problem**: Akka.Remote server starts successfully even when the application
lacks permissions to access the SSL certificate's private key. The server appears
healthy but fails when clients attempt to connect, making issues hard to diagnose.

**Root Cause**: Certificate loading in DotNettyTransportSettings only validates
that the certificate EXISTS in the Windows certificate store, not whether the
application can ACCESS the private key. Private key access is checked separately
by Windows ACL, which can fail even when Certificate.HasPrivateKey returns true.

**Solution**:
1. Add ValidateCertificate() method to SslSettings class that:
   - Checks Certificate.HasPrivateKey
   - Actually tests private key access with GetRSAPrivateKey() (not just presence)
   - Throws ConfigurationException with clear error message on failure

2. Call validation in Listen() method before server socket binds:
   - Ensures fail-fast behavior at startup
   - Prevents server from running in broken state
   - Provides clear error message for administrators

3. Add comprehensive tests:
   - Server should fail at startup with inaccessible private key
   - Server should start successfully with valid certificate
   - Server should start successfully without SSL

**Impact**:
- Existing misconfigured deployments will now fail at startup (correct behavior)
- Clear error messages guide administrators to fix permissions
- No breaking changes for correctly configured systems
- Related to Freshdesk akkadotnet#538 (BNSF Railway)

Fixes akkadotnet#538

Author: Aaronontheweb

src/core/Akka.Remote.Tests/Transport/DotNettyCertificateValidationSpec.cs

@@ -0,0 +1,132 @@
+//-----------------------------------------------------------------------
+// <copyright file="DotNettyCertificateValidationSpec.cs" company="Akka.NET Project">
+//     Copyright (C) 2009-2022 Lightbend Inc. <http://www.lightbend.com>
+//     Copyright (C) 2013-2025 .NET Foundation <https://github.com/akkadotnet/akka.net>
+// </copyright>
+//-----------------------------------------------------------------------
+
+using System;
+using System.IO;
+using System.Security.Cryptography.X509Certificates;
+using Akka.Actor;
+using Akka.Configuration;
+using Akka.TestKit;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace Akka.Remote.Tests.Transport
+{
+    /// <summary>
+    /// Tests that SSL certificate validation happens at startup, not during runtime.
+    /// This ensures fail-fast behavior when certificates are misconfigured.
+    /// </summary>
+    public class DotNettyCertificateValidationSpec : AkkaSpec
+    {
+        private const string ValidCertPath = "Resources/akka-validcert.pfx";
+        private const string Password = "password";
+        private static readonly string NoKeyCertPath = Path.Combine("Resources", "validation-no-key.cer");
+
+        public DotNettyCertificateValidationSpec(ITestOutputHelper output) : base(ConfigurationFactory.Empty, output)
+        {
+        }
+
+        private static Config CreateConfig(bool enableSsl, string certPath, string certPassword)
+        {
+            var baseConfig = ConfigurationFactory.ParseString(@"akka {
+                loglevel = DEBUG
+                actor.provider = ""Akka.Remote.RemoteActorRefProvider,Akka.Remote""
+                remote.dot-netty.tcp {
+                    port = 0
+                    hostname = ""127.0.0.1""
+                    enable-ssl = " + (enableSsl ? "on" : "off") + @"
+                    log-transport = off
+                }
+            }");
+
+            if (!enableSsl || string.IsNullOrEmpty(certPath))
+                return baseConfig;
+
+            var escapedPath = certPath.Replace("\\", "\\\\");
+            var ssl = $@"akka.remote.dot-netty.tcp.ssl {{
+                suppress-validation = on
+                certificate {{
+                    path = ""{escapedPath}""
+                    password = ""{certPassword ?? string.Empty}""
+                }}
+            }}";
+            return baseConfig.WithFallback(ssl);
+        }
+
+        private static void CreateCertificateWithoutPrivateKey()
+        {
+            var fullCert = new X509Certificate2(ValidCertPath, Password, X509KeyStorageFlags.Exportable);
+            var publicKeyBytes = fullCert.Export(X509ContentType.Cert);
+            var dir = Path.GetDirectoryName(NoKeyCertPath);
+            if (!string.IsNullOrEmpty(dir) && !Directory.Exists(dir))
+                Directory.CreateDirectory(dir);
+            File.WriteAllBytes(NoKeyCertPath, publicKeyBytes);
+        }
+
+        [Fact]
+        public void Server_should_fail_at_startup_with_certificate_without_private_key()
+        {
+            CreateCertificateWithoutPrivateKey();
+
+            try
+            {
+                // Server with cert that has no private key should FAIL TO START
+                var serverConfig = CreateConfig(true, NoKeyCertPath, null);
+
+                // This should throw an exception during ActorSystem.Create (wrapped in AggregateException)
+                var aggregateEx = Assert.Throws<AggregateException>(() =>
+                {
+                    using var server = ActorSystem.Create("ServerSystem", serverConfig);
+                });
+
+                // Unwrap the inner exception
+                var innerEx = aggregateEx.InnerException ?? aggregateEx;
+                while (innerEx is AggregateException agg && agg.InnerException != null)
+                    innerEx = agg.InnerException;
+
+                // Should be ConfigurationException about private key
+                Assert.IsType<ConfigurationException>(innerEx);
+                Assert.Contains("private key", innerEx.Message, StringComparison.OrdinalIgnoreCase);
+            }
+            finally
+            {
+                try
+                {
+                    if (File.Exists(NoKeyCertPath))
+                        File.Delete(NoKeyCertPath);
+                }
+                catch { /* ignore */ }
+            }
+        }
+
+        [Fact]
+        public void Server_should_start_successfully_with_valid_certificate()
+        {
+            // Server with valid cert should start normally
+            var serverConfig = CreateConfig(true, ValidCertPath, Password);
+
+            using var server = ActorSystem.Create("ServerSystem", serverConfig);
+            InitializeLogger(server);
+
+            // Server should be running
+            Assert.False(server.WhenTerminated.IsCompleted);
+        }
+
+        [Fact]
+        public void Server_should_start_successfully_without_ssl()
+        {
+            // Server without SSL should start normally
+            var serverConfig = CreateConfig(false, null, null);
+
+            using var server = ActorSystem.Create("ServerSystem", serverConfig);
+            InitializeLogger(server);
+
+            // Server should be running
+            Assert.False(server.WhenTerminated.IsCompleted);
+        }
+    }
+}

src/core/Akka.Remote/Transport/DotNetty/DotNettyTransport.cs

@@ -180,6 +180,13 @@ protected async Task<IChannel> NewServer(EndPoint listenAddress)
 
         public override async Task<(Address, TaskCompletionSource<IAssociationEventListener>)> Listen()
         {
+            // Validate SSL certificate before starting server
+            // This ensures fail-fast behavior if private key is inaccessible
+            if (Settings.EnableSsl)
+            {
+                Settings.Ssl.ValidateCertificate();
+            }
+
             EndPoint listenAddress;
             if (IPAddress.TryParse(Settings.Hostname, out var ip))
                 listenAddress = new IPEndPoint(ip, Settings.Port);

src/core/Akka.Remote/Transport/DotNetty/DotNettyTransportSettings.cs

@@ -342,6 +342,48 @@ public SslSettings(X509Certificate2 certificate, bool suppressValidation)
             SuppressValidation = suppressValidation;
         }
 
+        /// <summary>
+        /// Validates that the SSL certificate has an accessible private key.
+        /// Should be called before starting the server to ensure proper TLS configuration.
+        /// </summary>
+        /// <exception cref="ConfigurationException">
+        /// Thrown when certificate lacks private key or application cannot access it.
+        /// </exception>
+        public void ValidateCertificate()
+        {
+            if (Certificate == null)
+                return; // No SSL configured
+
+            if (!Certificate.HasPrivateKey)
+            {
+                throw new ConfigurationException(
+                    "SSL certificate does not have a private key. " +
+                    "Ensure certificate is installed with private key permissions.");
+            }
+
+            // Actually test private key access (not just presence)
+            try
+            {
+                using (var rsa = Certificate.GetRSAPrivateKey())
+                {
+                    if (rsa == null)
+                    {
+                        throw new ConfigurationException(
+                            "Cannot access private key for SSL certificate. " +
+                            "Verify application has permissions to the certificate's private key.");
+                    }
+                    // Successfully accessed private key - validation passed
+                }
+            }
+            catch (System.Security.Cryptography.CryptographicException ex)
+            {
+                throw new ConfigurationException(
+                    "SSL certificate private key exists but cannot be accessed. " +
+                    "Verify application user has permissions to the private key in certificate store. " +
+                    $"Error: {ex.Message}", ex);
+            }
+        }
+
         private SslSettings(string certificateThumbprint, string storeName, StoreLocation storeLocation, bool suppressValidation)
         {
             using var store = new X509Store(storeName, storeLocation);