如何创建签名证书并在生产中的IdentityServer4中使用它? [英] How to create a signing certificate and use it in IdentityServer4 in production?
问题描述
Most (all?) the sample code on the IdentityServer4 docs site uses AddDeveloperSigningCredential(), but recommends using AddSigningCredential() instead in production. I spent more hours than I care to think about trying to figure out how to do that.
如何创建签名证书并在生产中的IdentityServer4中使用它?
How do I create a signing certificate and use it in IdentityServer4 in production?
推荐答案
创建证书并添加到计算机的证书存储区
我决定创建一个证书并将其添加到计算机的证书存储中.Brock Allen在2015年的博客文章此处描述如何使用MakeCert创建证书.但是,根据 Microsoft MakeCert文档,现在已弃用该文件.因此,我决定改用PowerShell New-SelfSignedCertificate小程序( MS文档).我翻译了Brock的MakeCert命令以使用New-SelfSignedCertificate参数,并最终得到以下PowerShell命令:
I decided to create a certificate and add it to the machine's certificate store. Brock Allen has a 2015 blog post here describing how to create the certificate using MakeCert. However according to the Microsoft MakeCert documentation it is now deprecated. So I decided to use the PowerShell New-SelfSignedCertificate applet instead (MS docs). I translated Brock's MakeCert command to use the New-SelfSignedCertificate parameters and ended up with this PowerShell command:
New-SelfsignedCertificate -KeyExportPolicy Exportable -Subject "CN=MyIdsvCertificate" -KeySpec Signature -KeyAlgorithm RSA -KeyLength 2048 -HashAlgorithm SHA256 -CertStoreLocation "cert:\LocalMachine\My"
如果要检查证书是否已正确安装,请在运行"提示符下启动"mmc",依次转到文件",添加/删除管理单元",选择证书",单击添加",选择计算机帐户",然后单击本地计算机",单击完成,确定.然后浏览到证书\个人\证书",应该向MyIdsvCertificate颁发一个证书.
If you want to check the certificate has been installed correctly, from the Run prompt launch "mmc", go to File, "Add/Remove Snap-in", select "Certificates", click Add, select "Computer account", Next, "Local computer", Finish, OK. Then browse to Certificates\Personal\Certificates, there should be one issued to MyIdsvCertificate.
对证书的授予权限
创建证书后,您需要向运行IIS的任何Windows身份(或为您的IdentityServer应用程序提供服务的任何事物)授予读取权限,否则,当IdentityServer尝试使用密钥时,会出现密钥集不存在"错误.为此,请找到文件夹%ALLUSERSPROFILE%\ Microsoft \ Crypto \ RSA \ MachineKeys,以找到与创建证书的时间相匹配的时间戳记的文件,然后授予 read 访问权限(不需要任何其他操作)运行IIS的Windows身份.在IdentityServer4 GitHub问题论坛上 对此问题进行了讨论,并由Brock Allen和Dominick Baier进行了解释.如果您是像Brock或Dominick这样的天才,那么这种解释可能就足够了,但是像我这样的傻瓜可能会在
Once the certificate has been created you need to grant read permission to whatever Windows identity is running IIS (or whatever is serving your IdentityServer app) otherwise you get a "Keyset does not exist" error when IdentityServer tries to use the key. To do this locate the folder %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys find the file with a timestamp matching the time you created the certificate, then grant read access (no need for anything else) to the Windows identity running IIS. This issue is discussed on the IdentityServer4 GitHub Issues forum and explained by Brock Allen and Dominick Baier. If you're a genius like Brock or Dominick then that explanation might have been enough, but dummies like me might find the clearer explanation and solution provided to a very similar issue on the Microsoft Support site more useful.
告诉IdentityServer使用证书
现在完成了艰苦的工作.剩下要做的就是告诉IdentityServer在不开发时使用证书:
The hard work is now done. All that remains is to tell IdentityServer to use the certificate when not in development:
public void ConfigureServices(IServiceCollection services)
{
// ...
// Configure some awesome services
// ...
var identityServer = services.AddIdentityServer(...options...)...AddStuff()...;
if (_env.IsDevelopment())
{
identityServer.AddDeveloperSigningCredential();
}
else
{
identityServer.AddSigningCredential("CN=MyIdsvCertificate");
}
// ...
// Configure more awesome services
// ...
}
请注意,对AddSigningCredential()的调用中需要"CN =位,这也花费了我一些时间.实际上,我是在运行时从配置文件中获得该名称的,但我们无需在此处进行详细说明.
Note that the "CN=" bit is required in the call to AddSigningCredential(), that cost me some time too. I actually get the name from a config file at runtime, but we don't need to go into those details here.
这篇关于如何创建签名证书并在生产中的IdentityServer4中使用它?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
