Guidance on Thinktecture IdentityServer v3 - certificates

Asked 30/10, 2014 at 13:17 Answered 13/8, 2015 at 1:1

Solved azure certificate thinktecture-ident-server

I am working up a demo of Thinktecture IdentityServer v3. The intention is to have the identity server run as it's own website under Azure Websites.

There will be other (more than one) Azure Websites that will use the identity server to authenticate users.

Based on the getting started walkthrough (see https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki/Getting-started) I have this mostly working.

Where I am having trouble is with the certificates.

For the demo, I'd like to create my own certificate - but I am unsure of what I need to do. Any guidance would be helpful.

Other questions I have on this:

Are self-signed certificates able to be used?
In a production scenario, would self-signed certificates be acceptable, or would they really need to be signed by a trusted root authority?
How would these certificates be installed into an Azure Website (or can I load from disk)

Intransitive answered 30/10, 2014 at 13:17 Comment(2)

Also have the same questions. I was able to create the server following the getting started guide, but I'm trying now to host it on my local IIS but I'm also lost in the certificates part. – Parolee 31/10, 2014 at 22:41

highly frustrating how the documentation just assumes everyone is a cert expert – Sulphonate 30/11, 2016 at 6:7

Well - strictly speaking you need two certificate - one for SSL and one for signing - technically they could be the same - but don't have to. They also have different requirements.

For SSL - you need have a cert that is in the trusted list of your clients. Typically this is either a cert from a commercial CA - or from an internal PKI.

For the signing cert - you can generate your own - e.g. using makecert.

IdSrv is pretty flexible in loading certs - you can retrieve them from arbitrary sources - typically from the windows certificate store (when you have admin level access to the server) - or the file system, or from an embedded resource.

Our sample host uses the embedded resource approach which does work fine for Azure WebSites. For production scenarios you typically want more flexibility (e.g. for roll over) - so I would look into loading it from e.g. blob storage.

Stylopodium answered 2/11, 2014 at 9:18 Comment(3)

Actually accoring to Trace.log, there seem to be some requirements. Eg: 1) min length = 2048 bits. 2) 'willBeUseForSigning' should be false if the private key is not be available. Am I right? – Berrie 17/1, 2015 at 20:2

@Stylopodium I cloned your IdentityServer3.Samples repository, I followed the instructions on how to install the certificate, but it doesn't seem to work for me. I keep getting 'could not establish trust relationship'. I am trying to run Simplest.OAuth.Walkthrough sample. I run the IdSrv, then I run the Client and I get the error at GetClientToken(). Any solution to this? – Gasperoni 10/2, 2015 at 16:7

The "could not establish trust" error is coming from SSL and is unrelated to IdentityServer. You need to setup SSL properly. – Stylopodium 12/2, 2015 at 7:22

Expanding on the leastprivilege answer I think the 'proper' way is to install them in the Azure trust store but in my case I supplied them from embedded resources as in the idsrv3 example.

Here are some specifics that worked for me. Creating a self signed cert:

        "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\makecert.exe" -r -pe -n "CN=MyAppIdentity" -sky signature MyApp.cer -sv MyApp.pvk
        "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\pvk2pfx.exe" -pvk MyApp.pvk -spc MyApp.cer -pfx MyApp.pfx -pi MyPassword -po MyPassword

Despite the pvk2pfx.exe docs, I found that if -po is not supplied then the pfx would not keep the same password as the pvk and X509Certificate2() would fail with a password issue.

The idsrv3 sample cert worked fine on azure for me, using the idsrv3 sample code:

        var assembly = typeof(Certificate).Assembly;
        using (var stream = assembly.GetManifestResourceStream("MyCompany.Identity.Website.Config.idsrv3test.pfx"))
        {
            return new X509Certificate2(ReadStream(stream), "idsrv3test");
        }

However when I made my own cert it worked fine in local testing using the code above, but on Azure I had to add some extra flags to get it to work. I'm not necessarily sure the implications of using these, but they work, so that's a start:

        using (var stream = assembly.GetManifestResourceStream("MyCompany.Identity.Website.Config.MyApp.pfx"))
        {
            return new X509Certificate2(ReadStream(stream), 
                "MyPassword", 
                X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
        }

Yesseniayester answered 13/8, 2015 at 1:1 Comment(2)

Great answer, thanks. I couldn't get my key (created with OpenSSL) to work once deployed to Azure either until I added those additional flags. Did you ever determine the implications of those flags? – Schmitt 31/7, 2016 at 6:33

The MS documentation doesn't really help. This dude has a pretty readable discussion, and tip #4 gives a little more info: paulstovell.com/blog/x509certificate2 – Yesseniayester 1/8, 2016 at 14:18

Recommended topics

Hot tags