带有AddSigningCertificate的OpenIddict错误 [英] OpenIddict error with AddSigningCertificate
问题描述
我正在尝试登录证书(OpenIddict),但是尝试使用指纹时出现错误:
I am trying to signin certificate (OpenIddict), but I get error when trying with thumbprint:
options.AddSigningCertificate(Configuration["Certificate"]/* db b9 12 .... 22 */);
和错误:
应用程序启动异常: System.Security.Cryptography.CryptographicException:OpenCSP失败 错误代码2148073494.
Application startup exception: System.Security.Cryptography.CryptographicException: OpenCSP failed with error code 2148073494.
在此行:
app.UseOpenIddict();
如果我尝试使用X509Certificate2,我也会收到错误消息:
If I tried with X509Certificate2 I also get error:
var cert = new X509Certificate2(Configuration["Certificate"]/*path to file.cer*/);
options.AddSigningCertificate(cert);
和错误:
System.InvalidOperationException:证书不包含 必需的私钥.
System.InvalidOperationException: The certificate doesn't contain the required private key.
在同一行app.UseOpenIddict();
.
我正在使用与https协议相同的证书.这个可以吗?
我的活动令牌随机消失了(尝试刷新令牌时,我得到了invalid_token).我发现如果使用AddEphemeralSigningKey
会发生这种情况,因为在断开连接时(由于IIS空闲超时),所有令牌都会丢失.因此,我正在尝试使用AddSigningCertificate
.
I am using the same certificate that I am using for https protocol. Is this OK?
My active tokens are randomly gone (and I get invalid_token when trying to refresh the token). I find somewhere that this happens if AddEphemeralSigningKey
is used, because when connection is dropped (because of IIS idle timeout), all tokens are lost. Because of that I am trying to use AddSigningCertificate
.
还有另一种方法吗?有人可以告诉我,证书有什么问题吗?谢谢你.
Is there another way? Can someone tell me, what is wrong with certificate? Thank you.
我正在使用ASP.NET Core 1.1.1.
我为.cer文件的IIS用户添加了读取权限.
I am using ASP.NET Core 1.1.1.
I add read rights to IIS user for .cer file.
推荐答案
I solved my problem with new certificate created with SelfCert (https://s3.amazonaws.com/pluralsight-free/keith-brown/samples/SelfCert.zip).
I then added certificate to project source and call AddSigningCertificate:
if (this.env.IsDevelopment())
options.AddEphemeralSigningKey();
else
options.AddSigningCertificate(new FileStream(Directory.GetCurrentDirectory() + "/Resources/cert.pfx", FileMode.Open), "pass");
我还必须为IIS用户添加完全的文件权限.正确的读取和执行还不够.
I also had to add full rights to file for IIS user. Read and execute right was not enough.
就是这样.可以.
这篇关于带有AddSigningCertificate的OpenIddict错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!