[英]Issue in Self Signed Client Certificate while processing an Identity Server Client Credentials Flow
I created a Self Signed Certificate for my internal development purpose using MakeCert.exe 我使用MakeCert.exe为我的内部开发目的创建了自签名证书
Step #1 : I Created a Root CA using the following Command 步骤1 :我使用以下命令创建了根CA.
makecert -n "CN=Bala root signing authority" -cy authority -r -sv root.pvk root.cer
Step #2 : Installed the Root CA Certificate which is created in Step #1 using the following Command 步骤2 :使用以下命令安装在步骤#1中创建的根CA证书
certutil -user -addstore Root root.cer
Step #3 : I Created a Client Certificate using the following Command 步骤3 :我使用以下命令创建了客户端证书
makecert -pe -n "CN=Bala Client" -a sha1 -cy end ^ -sky signature ^ -ic root.cer -iv root1.pvk ^ -sv Bala.pvk Bala.cer
Step #4 : I Created a .pfx
file for the respective Client Certificate using the following command 步骤#4 :我使用以下命令为相应的客户端证书创建了一个.pfx
文件
pvk2pfx -pvk Bala.pvk -spc Bala.cer -pfx Bala.pfx
The Root CA namely "CN=Bala root signing authority" has all intended purpose and its installed in Trusted Root Certification Authorities
根CA即“CN = Bala根签名机构”具有所有预期目的,并且安装在Trusted Root Certification Authorities
Snapshot of Root CA Certificate : "CN=Bala root signing authority" 根CA证书快照 :“CN = Bala root签名权限”
Snapshot of Client Certificate : "CN=Bala Client" 客户端证书快照 :“CN = Bala Client”
The Client Certificate has a ThumbPrint: "83021C2C20096FFD8415A353E471FF1BD39ECA4E"
客户证书有一个ThumbPrint: "83021C2C20096FFD8415A353E471FF1BD39ECA4E"
Kindly look at the snapshot: 请看快照:
I'm having a Client in my IdentityServer3 and I used the Same thumbprint "83021C2C20096FFD8415A353E471FF1BD39ECA4E"
我在IdentityServer3中有一个客户端,我使用了相同的指纹"83021C2C20096FFD8415A353E471FF1BD39ECA4E"
new Client
{
ClientName = "Client Credentials Flow Client With Certificate",
Enabled = true,
ClientId = "cc.WithCertificate",
Flow = Flows.ClientCredentials,
ClientSecrets = new List<Secret>
{
new Secret
{
Value = "83021C2C20096FFD8415A353E471FF1BD39ECA4E",
Type = Constants.SecretTypes.X509CertificateThumbprint,
Description = "Client Certificate"
},
},
AllowedScopes = new List<string>
{
"read"
}
}
The Client Console Application Code is 客户端控制台应用程序代码是
var cert = new X509Certificate2(@"Bala.pfx");
var handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);
string tokenEndPoint = ConfigurationManager.AppSettings["TokenEndpoint"];
var client = new TokenClient(
tokenEndPoint,
"cc.WithCertificate",
handler);
// Calling the Token Service
var response = client.RequestClientCredentialsAsync("read").Result;
Response Object's Snapshot: 响应对象的快照:
Once I execute the code I'm getting the response with an Error Status Code: response.Error ="Forbidden"
一旦我执行代码,我就会收到错误状态代码的response.Error ="Forbidden"
: response.Error ="Forbidden"
I followed all the per-requesite setup which is said in my previous question response.Error "Forbidden" in IdentityServer3 Flows.ClientCredentials 我遵循了上一个问题response.Error中的所有per-requesite设置。 在IdentityServer3 Flows.ClientCredentials中出现“Forbidden”错误
Kindly assist me how to Authenticate the application using Self Signed Certificate
. 请帮助我如何使用Self Signed Certificate
验证应用程序。
I found the solution for this issue (Self Signed Certificate) after a long struggle. 经过长时间的斗争,我找到了解决这个问题的解决方案(自签名证书)。 There is a way to use the Self Signed Certificate in an Identity Server for authenticating user based on Client Certificate. 有一种方法可以使用Identity Server中的自签名证书来根据客户端证书对用户进行身份验证。
In the Identity Server, we are using a Certificate for generating Tokens (by default we are using idsrv3test.pfx
) and in Client Application we are using the Certificate Client.pfx
(by default). 在Identity Server中,我们使用证书生成令牌(默认情况下我们使用的是idsrv3test.pfx
),而在客户端应用程序中,我们使用的是Certificate Client.pfx
(默认情况下)。 I researched the logic behind in this, I found the solution these two certificates has a common Issuer " DevRoot ". 我研究了这背后的逻辑,我发现解决方案这两个证书有一个共同的Issuer“ DevRoot ”。 The Identity Server return the Token based on Client Certificate only if the DevRoot is in Trusted Root Certification Authorities otherwise the IIS should not allow the request and return back with status code 403 Forbidden . 仅当DevRoot位于受信任的根证书颁发机构中时,Identity Server才会根据客户端证书返回令牌,否则IIS不应允许该请求并返回状态码403 Forbidden 。
Scenario #1 : 场景#1 :
Scenario #2 : 场景#2 :
I followed the same logic, I created a Root CA Certificate. 我遵循相同的逻辑,我创建了一个根CA证书。 Moreover I created Server and Client Certificate and I mapped those certificate with the Root CA Certificate (ie, Parent). 此外,我创建了服务器和客户端证书,并使用根CA证书(即父)映射了这些证书。 The Certificates should have the following purpose 证书应具有以下目的
Note : For more information about Intended Purpose, refer http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html 注意 :有关预期目的的更多信息,请参阅http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html
The Server and Client Certificate should be in .pfx file format . 服务器和客户端证书应为.pfx文件格式 。 Let us see how to create the said Certificates 让我们看看如何创建所述证书
Ensure the Prerequisite Tools is exist in your System before executing the following Command 在执行以下命令之前,请确保系统中存在先决条件工具
Step: #1 第1步
We need to Create a Certificates of CA, Service and Client along with Private Key 我们需要创建CA,服务和客户端证书以及私钥
Certificate Authority 证书颁发机构
makecert -r -pe -n "CN=Token Root CA"
-sr LocalMachine -a sha1 -sky signature -cy authority -sv
"D:\Certificate\IDRootCA.pvk" "D:\Certificate\IDRootCA.cer"
Server Certificate 服务器证书
makecert -pe -n "CN=Server - Token Identity" -a sha1 -sky exchange
-eku 1.3.6.1.5.5.7.3.1 -ic "D:\Certificate\IDRootCA.cer" -iv
"D:\Certificate\IDRootCA.pvk" -sv "D:\Certificate\IDServer.pvk" "D:\Certificate\IDServer.cer"
Client Certificate 客户证书
makecert -pe -n "CN=Client - Token Identity" -a sha1 -sky exchange
-eku 1.3.6.1.5.5.7.3.2 -ic "D:\Certificate\IDRootCA.cer" -iv
"D:\Certificate\IDRootCA.pvk" -sv "D:\Certificate\IDClient.pvk" "D:\Certificate\IDClient.cer"
Step: #2 第2步
We need to Export the PFX's file of Service and Client certificate 我们需要导出PFX的服务和客户端证书文件
Service Certificate (PFX Format) 服务证书 (PFX格式)
pvk2pfx -pvk "D:\Certificate\IDServer.pvk" -spc "D:\Certificate\IDServer.cer"
-pfx "D:\Certificate\IDServer.pfx"
Client Certificate (PFX Format) 客户证书 (PFX格式)
pvk2pfx -pvk "D:\Certificate\IDClient.pvk" -spc "D:\Certificate\IDClient.cer"
-pfx "D:\Certificate\IDClient.pfx"
Step: #3 步骤:#3
We need to Import CA into Trusted Root Certification Authorities certificate store 我们需要将CA导入受信任的根证书颁发机构证书存储区
Import Certificate Authority " CN=Token Root CA
" 导入证书颁发机构 “ CN=Token Root CA
”
certutil -user -addstore Root "D:\Certificate\IDRootCA.cer"
Note : Here I import the Certificate only for the current user "-user". 注意 :这里我只为当前用户“-user”导入证书。 For more details refer http://certificate.fyicenter.com/685_Microsoft_CertUtil_Microsoft_certutil_-user_Certificate_St.html 有关更多详细信息,请参阅http://certificate.fyicenter.com/685_Microsoft_CertUtil_Microsoft_certutil_-user_Certificate_St.html
Execute all the above said commands using Command Prompt in Administrator Mode and navigate the path to " C:\\Program Files (x86)\\Microsoft SDKs\\Windows\\v7.1A\\Bin
". 在管理员模式下使用命令提示符执行上述所有命令,并将路径导航到“ C:\\Program Files (x86)\\Microsoft SDKs\\Windows\\v7.1A\\Bin
”。 The said path should contain the MakeCert.exe
file (Ensure it once) 所述路径应包含MakeCert.exe
文件(确保一次)
The above said Commands will create all the required Certificates of Identity Server 上述命令将创建所有必需的Identity Server证书
Identity Server Project: Kindly use the Server Certificate "IDServer.pfx"
instead of "idsrv3test.pfx"
and Change the same in Certificates.cs and Web.config. Identity Server Project:请使用服务器证书"IDServer.pfx"
而不是"idsrv3test.pfx"
并在Certificates.cs和Web.config中更改它。
Note : The Private key is not required for this Self signed Certificate . 注意 :此自签名证书不需要私钥 。
Finally the Client Console Application Code is 最后是客户端控制台应用程序代码
var cert = new X509Certificate2(@"IDClient.pfx");
var handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);
string tokenEndPoint = ConfigurationManager.AppSettings["TokenEndpoint"];
var client = new TokenClient(
tokenEndPoint,
"cc.WithCertificate",
handler);
// Calling the Token Service
var response = client.RequestClientCredentialsAsync("read").Result;
Finally I got the Access Token Successfully 最后我成功获得了Access Token
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.