Menu
Most (all?) the sample code on the IdentityServer4 docs site uses AddDeveloperSigningCredential(), but recommends using AddSigningCredential() instead in production. I spent more hours than I care to think about trying to figure out how to do that.
How do I create a signing certificate and use it in IdentityServer4 in production?
680
Updating the Identity Signing CertificateOpen Manage Computer Certificates app, from Start->Run->type certlm. msc and OK. Go to the personal node and locate the certificate. Open the certificate and go to the 'Details' tab and get the thumbprint.
By default, Identity Server uses Temporary Signing Certificate to sign the JWT tokens via this method: .AddDeveloperSigningCredential() Once Identity Server starts/restarts, a temporary key is created and make all the keys created before invalid.
Create certificate and add to machine's certificate store
I decided to create a certificate and add it to the machine's certificate store. Brock Allen has a 2015 blog post here describing how to create the certificate using MakeCert. However according to the Microsoft MakeCert documentation it is now deprecated. So I decided to use the PowerShell New-SelfSignedCertificate applet instead (MS docs). I translated Brock's MakeCert command to use the New-SelfSignedCertificate parameters and ended up with this PowerShell command:
New-SelfsignedCertificate -KeyExportPolicy Exportable -Subject "CN=MyIdsvCertificate" -KeySpec Signature -KeyAlgorithm RSA -KeyLength 2048 -HashAlgorithm SHA256 -CertStoreLocation "cert:\LocalMachine\My" If you want to check the certificate has been installed correctly, from the Run prompt launch "mmc", go to File, "Add/Remove Snap-in", select "Certificates", click Add, select "Computer account", Next, "Local computer", Finish, OK. Then browse to Certificates\Personal\Certificates, there should be one issued to MyIdsvCertificate.
Grant permissions on the certificate
Once the certificate has been created you need to grant read permission to whatever Windows identity is running IIS (or whatever is serving your IdentityServer app) otherwise you get a "Keyset does not exist" error when IdentityServer tries to use the key. To do this locate the folder %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys find the file with a timestamp matching the time you created the certificate, then grant read access (no need for anything else) to the Windows identity running IIS. This issue is discussed on the IdentityServer4 GitHub Issues forum and explained by Brock Allen and Dominick Baier. If you're a genius like Brock or Dominick then that explanation might have been enough, but dummies like me might find the clearer explanation and solution provided to a very similar issue on the Microsoft Support site more useful.
Tell IdentityServer to use the certificate
The hard work is now done. All that remains is to tell IdentityServer to use the certificate when not in development:
public void ConfigureServices(IServiceCollection services) { // ... // Configure some awesome services // ... var identityServer = services.AddIdentityServer(...options...)...AddStuff()...; if (_env.IsDevelopment()) { identityServer.AddDeveloperSigningCredential(); } else { identityServer.AddSigningCredential("CN=MyIdsvCertificate"); } // ... // Configure more awesome services // ... } Note that the "CN=" bit is required in the call to AddSigningCredential(), that cost me some time too. I actually get the name from a config file at runtime, but we don't need to go into those details here.
60
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With