Does the certificate used for signing tokens in IdentityServer4 have to be from a trusted CA in production?
My admittedly limited understanding is that it doesn't. But I can't seem to find a definitive answer either way.
And the obvious follow-up is, should it be from a trusted CA?
Updating the Identity Signing CertificateOpen Manage Computer Certificates app, from Start->Run->type certlm. msc and OK. Go to the personal node and locate the certificate. Open the certificate and go to the 'Details' tab and get the thumbprint.
OpenID Connect does not mandate the usage of X509 certificates at all - you could also use raw RSA or EC keys.
If you want to use X509 you can self-sign them. Most libraries only check if the public key in the discovery document can be used to validate the token.
Some libraries allow additional checks on the certificate - and some environments mandate such checks.
But generally speaking - CA issued certs are not necessary.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With