带证书的IdentityServer4 AddSigningCredentials
[英]IdentityServer4 AddSigningCredentials with Certificate
问题描述
I have an SSL certificate installed on my domain and I wanted to use it for signing with IdentityServer 4. Now I found that there is a method which would let me do that: 
我的域上安装了SSL证书,我想将其用于IdentityServer 4的签名。现在,我发现有一种方法可以使我做到这一点:
services.AddIdentityServer().AddSigningCredentials(certificate);
However, I cannot figure out how to actually get my certificate and pass it to the identity server. 但是,我无法弄清楚如何真正获得证书并将其传递给身份服务器。
I have tried the following: 我尝试了以下方法:
var cert = X509Certificate.CreateFromCertFile(fileName);
services.AddIdentityServer().AddSigningCredentials(certificate);
The error that I get is it cannot convert from 我得到的错误是它无法转换
'System.Security.Cryptography.X509Certificates.X509Certificate' to 'Microsoft.IdentityModel.Tokens.SIgningCredential'
Now I don't understand why it is complaining about signing credentials when one of the overrides for the method is the certificate. 现在,我不明白为什么当方法的替代之一是证书时,为什么抱怨签名凭证。
2 个解决方案
解决方案1
0 2019-03-17 22:10:26
Maybe it can't convert due to issue in permissions or loading the certificate as a stream. 可能由于权限问题或将证书作为流加载而无法转换。
In my case using IdentityServer3 the below code works: 在我使用IdentityServer3的情况下,以下代码有效:
/// <summary>
/// Load the certificate that sign the Id or Jw token
/// </summary>
/// <returns></returns>
private static X509Certificate2 LoadCertificate()
{
string baseDirectory = AppDomain.CurrentDomain.BaseDirectory;
return new X509Certificate2(
Path.Combine(AppDomain.CurrentDomain.BaseDirectory, ConfigMngr.GetAppSettingsValue<string>("IdSrv:SigningCertificatePath")), ConfigMngr.GetAppSettingsValue<string>("IdSrv:SigningCertificatePassword"));
}
Then in owin's startup file, I am passing it as below: 然后在owin的启动文件中,我将其传递如下:
SigningCertificate = LoadCertificate(),
I know in Idsrv4 it's a different implementation than the code I posted but it should be the same abstraction, for example, you loading X509Certificate but it's deprecated so make sure to use the correct overloading to load the certificate as stream and make sure to return the correct type. 我知道在Idsrv4中它是与我发布的代码不同的实现,但是应该是相同的抽象,例如,您加载X509Certificate,但已弃用,因此请确保使用正确的重载将证书作为流加载并确保返回正确的类型。
Also, This code is testable with IdSrv4: 另外,此代码可通过IdSrv4测试:
var fileName = Path.Combine(env.WebRootPath, "FileName" );
if (!File.Exists(fileName))
{
throw new FileNotFoundException("No Signing Certificate!");
}
var cert = new X509Certificate2(fileName, "Pass" );
services.AddIdentityServer().AddSigningCredential(cert)
So instead of using 所以不要使用
X509Certificate.CreateFromCertFile(fileName);
You can construct a new X509Certificate2 certificate like this: 您可以像下面这样构造一个新的X509Certificate2证书:
var cert = new X509Certificate2(fileName, "Pass" );
And pass it to the owin middleware: 并将其传递给owin中间件:
services.AddIdentityServer().AddSigningCredential(cert)
解决方案2
0 已采纳 2019-03-23 00:51:18
I ended up resolving it like this. 我最终解决了这个问题。 I'm using a shared server where I am hosting this and I could not find the file name for the certificate or the path to get it. 我正在使用共享服务器托管该服务器,但找不到证书的文件名或获取它的路径。 So I ended up just opening the store and finding it that way. 所以我最终只是开了一家商店,然后找到了它。 Not very efficient, but it will do the trick until I move it to a dedicated server and have more control. 效率不是很高,但是直到我将其移至专用服务器并拥有更多控制权之前,它都能达到目的。
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2 cert = null;
foreach (X509Certificate2 certificate in store.Certificates)
{
if (!string.IsNullOrWhiteSpace(certificate?.SubjectName?.Name) && certificate.SubjectName.Name.StartsWith("CN=*.mysite.com"))
{
cert = certificate;
break;
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.