IdentityServer4: How to load Signing Credential from Cert Store when in Docker

Question

We have an IdentityServer4-based STS successfully running on Windows, where the Signing Credential has been installed to the Local Computer with .pfx under Personal > Certificates, and .cer under Trusted People > Certificates. We are then able to load the Signing Credential by its Common Name as follows:

services.AddIdentityServer()
    .AddSigningCredential("CN=CERT_NAME")
    ...

We are now wanting to run our STS implementation within a Docker container, and have been running into the following exception:

Unhandled Exception: System.PlatformNotSupportedException: Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores.
   at Internal.Cryptography.Pal.StorePal.FromSystemStore(String storeName, StoreLocation storeLocation, OpenFlags openFlags)
   at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags)
   at IdentityModel.X509CertificatesFinder.Find(Object findValue, Boolean validOnly)
   at Microsoft.Extensions.DependencyInjection.IdentityServerBuilderExtensionsCrypto.AddSigningCredential(IIdentityServerBuilder builder, String name, StoreLocation location, NameType nameType)

Based on the above error message, and the source for the AddSigningCredential method we're using here: https://github.com/IdentityServer/IdentityServer4/blob/ec17672d27f9bed42f9110d73755170ee9265116/src/IdentityServer4/Configuration/DependencyInjection/BuilderExtensions/Crypto.cs#L73, it seems apparent that our issue is that IdentityServer4 is looking for the certificate in the Local Machine's Personal ("My") store, however, such a store is not available within Unix environments as per the error message.

So, I'm curious to know if some best practice exists for loading the Signing Credential for IdentityServer4 in Docker containers, if it isn't possible to load it by name or fingerprint. Would the only option be to bundle the certificate in with our application, then load it by filename?

Answer 1

When you use Docker containers and IdentityServer basically you have two options:

• Add the certificate to the container image (COPY certificate.pfx .)
• Mount certificate to the container (-v /path/to/certificate.pfx:/certificate.pfx)

Whatever option you choose, the only thing you need is to add the following configuration code to ConfigureServices in Startup

var identityServerBuilder = services.AddIdentityServer();
/* store configuration and etc. is omitted */
if (_hostingEnvironment.IsDevelopment())
{
    identityServerBuilder.AddDeveloperSigningCredential();
}
else
{
    var certificate = new X509Certificate2("certificate.pfx", "certificate_password");
    identityServerBuilder.AddSigningCredential(certificate);
}

Also it would be a good idea to read certificate password from configuration, environment variable or secrets storage.