How to create a signing certificate and use it in IdentityServer4 in production?

拈花ヽ惹草 提交于 2021-02-05 13:15:43

问题


Most (all?) the sample code on the IdentityServer4 docs site uses AddDeveloperSigningCredential(), but recommends using AddSigningCredential() instead in production. I spent more hours than I care to think about trying to figure out how to do that.

How do I create a signing certificate and use it in IdentityServer4 in production?


回答1:


Create certificate and add to machine's certificate store

I decided to create a certificate and add it to the machine's certificate store. Brock Allen has a 2015 blog post here describing how to create the certificate using MakeCert. However according to the Microsoft MakeCert documentation it is now deprecated. So I decided to use the PowerShell New-SelfSignedCertificate applet instead (MS docs). I translated Brock's MakeCert command to use the New-SelfSignedCertificate parameters and ended up with this PowerShell command:

    New-SelfsignedCertificate -KeyExportPolicy Exportable -Subject "CN=MyIdsvCertificate" -KeySpec Signature -KeyAlgorithm RSA -KeyLength 2048 -HashAlgorithm SHA256 -CertStoreLocation "cert:\LocalMachine\My"

If you want to check the certificate has been installed correctly, from the Run prompt launch "mmc", go to File, "Add/Remove Snap-in", select "Certificates", click Add, select "Computer account", Next, "Local computer", Finish, OK. Then browse to Certificates\Personal\Certificates, there should be one issued to MyIdsvCertificate.

Grant permissions on the certificate

Once the certificate has been created you need to grant read permission to whatever Windows identity is running IIS (or whatever is serving your IdentityServer app) otherwise you get a "Keyset does not exist" error when IdentityServer tries to use the key. To do this locate the folder %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys find the file with a timestamp matching the time you created the certificate, then grant read access (no need for anything else) to the Windows identity running IIS. This issue is discussed on the IdentityServer4 GitHub Issues forum and explained by Brock Allen and Dominick Baier. If you're a genius like Brock or Dominick then that explanation might have been enough, but dummies like me might find the clearer explanation and solution provided to a very similar issue on the Microsoft Support site more useful.

Tell IdentityServer to use the certificate

The hard work is now done. All that remains is to tell IdentityServer to use the certificate when not in development:

    public void ConfigureServices(IServiceCollection services)
    {
        // ...
        // Configure some awesome services
        // ...

        var identityServer = services.AddIdentityServer(...options...)...AddStuff()...;

        if (_env.IsDevelopment())
        {
            identityServer.AddDeveloperSigningCredential();
        }
        else
        {
            identityServer.AddSigningCredential("CN=MyIdsvCertificate");
        }

        // ...
        // Configure more awesome services
        // ...
    }

Note that the "CN=" bit is required in the call to AddSigningCredential(), that cost me some time too. I actually get the name from a config file at runtime, but we don't need to go into those details here.



来源:https://stackoverflow.com/questions/58136779/how-to-create-a-signing-certificate-and-use-it-in-identityserver4-in-production

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!