Setting up identity server 3 certs on an azure VM

Question

I am setting up a test vm for an application which is using identity server 3 for its authentication. It is already set up and working on my dev machine but we are moving it into the cloud for easier testing and I have issues with teh certificates. Basically my set up is the following: I am using the idsrv3test certificate provided with the sample. The identity server startup is loading them like this:

var options = new IdentityServerOptions
{
   Factory = idServerServiceFactory,
   SiteName = "Strata Practice Management",
   SigningCertificate = LoadCertificate()
}

X509Certificate2 LoadCertificate()
{
    return new X509Certificate2($@"{AppDomain.CurrentDomain.BaseDirectory}\Certificates\idsrv3test.pfx", "idsrv3test");
}

That's basically the sample code provided in the example. Now, on the same server, there is an MVC app which connects to the identity server. Both are hosted on iis. When I run them on my dev box everything is working fine. I published my identity server project to the azure vm using the Default Web Site/IdentityServer path. Same test certs were uploaded to the server. When I then try to go to https://localhost/IdentityServer/identity (from the same vm) I get the following error The security certificate presented by this website was issued for a different website's address. The IE does not give much detail but I suspect the problem is idsrv3test's subject which does not correspond to the proper machine url. When I look at the cert's subject is simply says idsrv3test.

So the questions are: - Why do the certs work with the iis express when I load the server on my local dev computer? - What should I do to make it work on the vm? I assume I need to create a new certificate with the correct subject which will correspond to the server address and load that instead of the idsrv3test. How would I do that? I assume since this is a test box, I don't need to buy a commercial cert and can just make my own, right? What should be the subject of the new certificate? Is it supposed to be just https://localhost ? or just localhost? or the full domain name of my vm?

I have quite a few questions but I am a total noob when it comes to certificate security. If someone can please give shine some light on this matter, I greately appreciate it.

Regards, Andrey

Answer 1

Ok. Figured it out. The problem was not the idsrv3test certificate. It was the fact that there was no certificate proving that the response is coming from the server. When I looked at the error more closely using chrome, the explanation was pretty clear - the server could not prove that it is xxx. I had to do few things to get it to work. 1. Create a certificate with the issuer of the server address. That would be myvmname.cloudapp.azure.com if I am hosting on azure. I used make cert utility for that. 2. Bind the certificate to the secure HTTPS port of the website in iis 3. Add the certificate to the trusted root through the mmc on the machine accessing the server

Tip for others like me figuring it out: If you are wondering what is the difference between the self signed certificate (one you can make using the make cert) and the commercial one you have to pay for, it is that the commercial ones are trusted by the browser