What is the certificate required for?

I understand very well the purpose of certificates: both in a general case and in the specific usage for token creation under IDS. When I wire up my IDP like this:

services.AddIdentityServer()
  .AddConfigurationStore(Delegates.ConfigOptions(config))
  .AddOperationalStore(Delegates.OperationOptions(config))
  .AddSigningCredential(new X509Certificate2(path, pass));

or this:

services.AddIdentityServer()
  .AddConfigurationStore(Delegates.ConfigOptions(config))
  .AddOperationalStore(Delegates.OperationOptions(config))
  .AddDeveloperSigningCredential();

I get it to work (both dev creds and sign creds work). Accidentally, I commented out both of them, effectively applying the following config.

services.AddIdentityServer()
  .AddConfigurationStore(Delegates.ConfigOptions(config))
  .AddOperationalStore(Delegates.OperationOptions(config));

I had been expecting no tokens, invalid tokens, crashes, exceptions and what not. Instead, everything works smoothly and I see no evident problems.

Now, that can't be right, obviously. What am I missing and what bad thing have I caused by omitting the credentials to be present?!

What happens, I think, is that the built-in automatic key manager kicks in and generates the keys for you.

You can verify this because this module creates a subfolder in ~/keys directory.

See the documentation here about the Automatic Key Management.

It can be disabled here:

AddSigningCredential is used to add a custom signing key and AddDeveloperSigningCredential is used to let IdentityServer generate a test key for development.