How to configure key settings for IdentityServer in appsettings.json for aspnet core app running on IIS

Question

I created the template Angular / ASP.NET Core with authorisation support using this command:

dotnet new angular --auth Individual

This is an:

• ASP.NET Core 3.0 App with
• ASP.NET Core Identity for authenticating and storing users,
• IdentityServer4 for implementing Open ID Connect,
• Angular SPA,

All pre-configured to work together.

Before I deploy my app based on this template, I'm trying to first deploy this template app to IIS.

I've deployed the app to IIS and have a database setup and the app connected to it just fine, but I'm stuck. I am not sure how to create and configure the production certificate to use for signing tokens.

At this point in the Microsoft docs it briefly mentions "A production certificate to use for signing tokens." and gives and example for deployment to Azure.

How do I create the key in IIS? do you do something here?

Then how do I then add the correct settings to appsettings.json?

"IdentityServer": {
  "Key": {
    "Type": "Store",
    "StoreName": "My",
    "StoreLocation": "CurrentUser",
    "Name": "CN=MyApplication"
  }
}

I'm struggling to find any guides or examples on the net, any help or point in the right direction would be appreciated.

Answer 1

I also found that the documentation is not comperhensive enough. I managed to deploy the an angular app to azure. Im not sure if it similar to the deployment to IIS. But may be this could help you to find the solution for your problem.

Deployment to Azure:

First you have to upload the (self signed) certificate (.pfx) to azure app service. I used this guide to create self signed certificate.

upload certificate image

You also have to make the certificate available by adding the thumbprint into the application setting. see image.

Dont forget to update your appsettings.json so your app can access the certificate from the previous step.

"IdentityServer": {
  "Key": {
    "Type": "Store",
    "StoreName": "My",
    "StoreLocation": "CurrentUser",
    "Name": "CN=yourApp-domain.com"
  }
}

If you encounter problem. Change the environtment variable in appservice to "Development" to see detail information of the error. like this.

change environment variable

Answer 2

For now I have worked around this problem by exporting the certificate to a file. Under Server Certificates in IIS you can right-click a certificate and export it.

Then you can configure the key parameters in appsettings.json to reference a file like so:

"Key": {
  "Type": "File",
  "FilePath": "..\\test.pfx",
  "Password": "Test"
}

I would still like to reference a store certificate.

Answer 3

So this should fairly straightforward to configure for development purposes. In IIS you can issue yourself a self-signed certificate which will naturally only be valid on your local machine.

Give it some name and if you don't change anything else and click OK, it will by default store the generated certificate in your Personal store for LocalMachine so below config should work:

"IdentityServer": {
  "Key": {
    "Type": "Store",
    "StoreName": "Personal",
    "StoreLocation": "LocalMachine",
    "Name": "YourName"
  }
}

It is worthwhile noting that if you try to import certificate from somewhere else - it must be at least 2048 bit key for Identity Server 4 purposes.