处理Identity Server客户端凭据流时在自签名客户端证书中出现问题

Question

I created a Self Signed Certificate for my internal development purpose using MakeCert.exe

Step #1 : I Created a Root CA using the following Command

makecert -n "CN=Bala root signing authority" -cy authority -r -sv root.pvk root.cer

Step #2 : Installed the Root CA Certificate which is created in Step #1 using the following Command

certutil -user -addstore Root root.cer

Step #3 : I Created a Client Certificate using the following Command

makecert -pe -n "CN=Bala Client" -a sha1 -cy end ^ -sky signature ^ -ic root.cer -iv root1.pvk ^ -sv Bala.pvk Bala.cer

Step #4 : I Created a .pfx file for the respective Client Certificate using the following command

pvk2pfx -pvk Bala.pvk -spc Bala.cer -pfx Bala.pfx

The Root CA namely "CN=Bala root signing authority" has all intended purpose and its installed in Trusted Root Certification Authorities

Snapshot of Root CA Certificate : "CN=Bala root signing authority"

Snapshot of Client Certificate : "CN=Bala Client"

The Client Certificate has a ThumbPrint: "83021C2C20096FFD8415A353E471FF1BD39ECA4E"

Kindly look at the snapshot:

I'm having a Client in my IdentityServer3 and I used the Same thumbprint "83021C2C20096FFD8415A353E471FF1BD39ECA4E"

new Client
{
    ClientName = "Client Credentials Flow Client With Certificate",
    Enabled = true,
    ClientId = "cc.WithCertificate",
    Flow = Flows.ClientCredentials,

    ClientSecrets = new List<Secret>
        {
            new Secret
            {
                Value = "83021C2C20096FFD8415A353E471FF1BD39ECA4E",
                Type = Constants.SecretTypes.X509CertificateThumbprint,
                Description = "Client Certificate"
            },
        },

    AllowedScopes = new List<string>
        {
            "read"
        }
}

The Client Console Application Code is

var cert = new X509Certificate2(@"Bala.pfx");
var handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);

string tokenEndPoint = ConfigurationManager.AppSettings["TokenEndpoint"];

var client = new TokenClient(
    tokenEndPoint,
    "cc.WithCertificate",
    handler);

// Calling the Token Service
var response = client.RequestClientCredentialsAsync("read").Result;

Response Object's Snapshot:

Once I execute the code I'm getting the response with an Error Status Code: response.Error ="Forbidden"

I followed all the per-requesite setup which is said in my previous question response.Error "Forbidden" in IdentityServer3 Flows.ClientCredentials

Kindly assist me how to Authenticate the application using Self Signed Certificate .

Answer 1

I found the solution for this issue (Self Signed Certificate) after a long struggle. There is a way to use the Self Signed Certificate in an Identity Server for authenticating user based on Client Certificate.

In the Identity Server, we are using a Certificate for generating Tokens (by default we are using idsrv3test.pfx ) and in Client Application we are using the Certificate Client.pfx (by default). I researched the logic behind in this, I found the solution these two certificates has a common Issuer " DevRoot ". The Identity Server return the Token based on Client Certificate only if the DevRoot is in Trusted Root Certification Authorities otherwise the IIS should not allow the request and return back with status code 403 Forbidden .

Scenario #1 :

Scenario #2 :

I followed the same logic, I created a Root CA Certificate. Moreover I created Server and Client Certificate and I mapped those certificate with the Root CA Certificate (ie, Parent). The Certificates should have the following purpose

• Root CA Certificate => All Purpose or the combination of Server Authentication and Client Authentication
• Server Certificate => Only Server Authentication Purpose
• Client Certificate => Only Client

Note : For more information about Intended Purpose, refer http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html

The Server and Client Certificate should be in .pfx file format . Let us see how to create the said Certificates

Ensure the Prerequisite Tools is exist in your System before executing the following Command

• Install the latest .Net Framework https://www.microsoft.com/net/download
• Install the Latest Microsoft Windows SDK for Windows 7 and .NET Framework 4 https://www.microsoft.com/en-us/download/details.aspx?id=8279

Step: #1

We need to Create a Certificates of CA, Service and Client along with Private Key

Certificate Authority

makecert -r -pe -n "CN=Token Root CA" 
-sr LocalMachine -a sha1 -sky signature -cy authority -sv 
"D:\Certificate\IDRootCA.pvk" "D:\Certificate\IDRootCA.cer"

Server Certificate

makecert -pe -n "CN=Server - Token Identity" -a sha1 -sky exchange 
-eku 1.3.6.1.5.5.7.3.1 -ic "D:\Certificate\IDRootCA.cer" -iv 
"D:\Certificate\IDRootCA.pvk" -sv "D:\Certificate\IDServer.pvk" "D:\Certificate\IDServer.cer"

Client Certificate

makecert -pe -n "CN=Client - Token Identity" -a sha1 -sky exchange 
-eku 1.3.6.1.5.5.7.3.2 -ic "D:\Certificate\IDRootCA.cer" -iv 
"D:\Certificate\IDRootCA.pvk" -sv "D:\Certificate\IDClient.pvk" "D:\Certificate\IDClient.cer"

Step: #2

We need to Export the PFX's file of Service and Client certificate

Service Certificate (PFX Format)

pvk2pfx -pvk "D:\Certificate\IDServer.pvk" -spc "D:\Certificate\IDServer.cer" 
-pfx "D:\Certificate\IDServer.pfx"

Client Certificate (PFX Format)

pvk2pfx -pvk "D:\Certificate\IDClient.pvk" -spc "D:\Certificate\IDClient.cer" 
-pfx "D:\Certificate\IDClient.pfx"

Step: #3

We need to Import CA into Trusted Root Certification Authorities certificate store

Import Certificate Authority " CN=Token Root CA "

certutil -user -addstore Root "D:\Certificate\IDRootCA.cer"

Note : Here I import the Certificate only for the current user "-user". For more details refer http://certificate.fyicenter.com/685_Microsoft_CertUtil_Microsoft_certutil_-user_Certificate_St.html

Execute all the above said commands using Command Prompt in Administrator Mode and navigate the path to " C:\\Program Files (x86)\\Microsoft SDKs\\Windows\\v7.1A\\Bin ". The said path should contain the MakeCert.exe file (Ensure it once)

The above said Commands will create all the required Certificates of Identity Server

Identity Server Project: Kindly use the Server Certificate "IDServer.pfx" instead of "idsrv3test.pfx" and Change the same in Certificates.cs and Web.config.

Note : The Private key is not required for this Self signed Certificate .

Finally the Client Console Application Code is

var cert = new X509Certificate2(@"IDClient.pfx");
var handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);

string tokenEndPoint = ConfigurationManager.AppSettings["TokenEndpoint"];

var client = new TokenClient(
    tokenEndPoint,
    "cc.WithCertificate",
    handler);

// Calling the Token Service
var response = client.RequestClientCredentialsAsync("read").Result;

Finally I got the Access Token Successfully