带有AddSigningCertificate的OpenIddict错误 [英] OpenIddict error with AddSigningCertificate

问题描述

我正在尝试登录证书(OpenIddict)，但是尝试使用指纹时出现错误:

I am trying to signin certificate (OpenIddict), but I get error when trying with thumbprint:

options.AddSigningCertificate(Configuration["Certificate"]/* db b9 12 .... 22 */);

和错误:

应用程序启动异常: System.Security.Cryptography.CryptographicException:OpenCSP失败 错误代码2148073494.

Application startup exception: System.Security.Cryptography.CryptographicException: OpenCSP failed with error code 2148073494.

在此行:

app.UseOpenIddict();

如果我尝试使用X509Certificate2，我也会收到错误消息:

If I tried with X509Certificate2 I also get error:

var cert = new X509Certificate2(Configuration["Certificate"]/*path to file.cer*/);
options.AddSigningCertificate(cert);

和错误:

System.InvalidOperationException:证书不包含 必需的私钥.

System.InvalidOperationException: The certificate doesn't contain the required private key.

在同一行app.UseOpenIddict();.

我正在使用与https协议相同的证书.这个可以吗? 我的活动令牌随机消失了(尝试刷新令牌时，我得到了invalid_token).我发现如果使用AddEphemeralSigningKey会发生这种情况，因为在断开连接时(由于IIS空闲超时)，所有令牌都会丢失.因此，我正在尝试使用AddSigningCertificate.

I am using the same certificate that I am using for https protocol. Is this OK? My active tokens are randomly gone (and I get invalid_token when trying to refresh the token). I find somewhere that this happens if AddEphemeralSigningKey is used, because when connection is dropped (because of IIS idle timeout), all tokens are lost. Because of that I am trying to use AddSigningCertificate.

还有另一种方法吗?有人可以告诉我，证书有什么问题吗?谢谢你.

Is there another way? Can someone tell me, what is wrong with certificate? Thank you.

我正在使用ASP.NET Core 1.1.1.
我为.cer文件的IIS用户添加了读取权限.

I am using ASP.NET Core 1.1.1.
I add read rights to IIS user for .cer file.

推荐答案

我通过使用SelfCert(

I solved my problem with new certificate created with SelfCert (https://s3.amazonaws.com/pluralsight-free/keith-brown/samples/SelfCert.zip).
I then added certificate to project source and call AddSigningCertificate:

            if (this.env.IsDevelopment())
                options.AddEphemeralSigningKey();      
            else
                options.AddSigningCertificate(new FileStream(Directory.GetCurrentDirectory() + "/Resources/cert.pfx", FileMode.Open), "pass");

我还必须为IIS用户添加完全的文件权限.正确的读取和执行还不够.

I also had to add full rights to file for IIS user. Read and execute right was not enough.

就是这样.可以.

这篇关于带有AddSigningCertificate的OpenIddict错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！