如何创建签名证书并在生产中的 IdentityServer4 中使用它? [英] How to create a signing certificate and use it in IdentityServer4 in production?

问题描述

IdentityServer4 文档站点上的大多数(全部?)示例代码使用 AddDeveloperSigningCredential()，但建议在生产中使用 AddSigningCredential().我花了更多的时间来思考如何做到这一点.

Most (all?) the sample code on the IdentityServer4 docs site uses AddDeveloperSigningCredential(), but recommends using AddSigningCredential() instead in production. I spent more hours than I care to think about trying to figure out how to do that.

如何创建签名证书并在生产中的 IdentityServer4 中使用它?

How do I create a signing certificate and use it in IdentityServer4 in production?

推荐答案

创建证书并添加到机器的证书库

我决定创建一个证书并将其添加到机器的证书存储中.Brock Allen 有一篇 2015 年的博客文章这里 描述如何使用 MakeCert 创建证书.但是，根据 Microsoft MakeCert 文档，它现在已被弃用.所以我决定改用 PowerShell New-SelfSignedCertificate 小程序 (MS 文档).我将 Brock 的 MakeCert 命令转换为使用 New-SelfSignedCertificate 参数并最终得到了这个 PowerShell 命令:

I decided to create a certificate and add it to the machine's certificate store. Brock Allen has a 2015 blog post here describing how to create the certificate using MakeCert. However according to the Microsoft MakeCert documentation it is now deprecated. So I decided to use the PowerShell New-SelfSignedCertificate applet instead (MS docs). I translated Brock's MakeCert command to use the New-SelfSignedCertificate parameters and ended up with this PowerShell command:

    New-SelfsignedCertificate 
      -KeyExportPolicy Exportable 
      -Subject "CN=MyIdsvCertificate" 
      -KeySpec Signature 
      -KeyAlgorithm RSA 
      -KeyLength 2048 
      -HashAlgorithm SHA256 
      -CertStoreLocation "cert:LocalMachineMy"

如果要检查证书是否已正确安装，从运行提示启动mmc"，转到文件"，添加/删除管理单元"，选择证书"，单击添加"，选择";计算机帐户"，下一步，本地计算机"，完成，OK.然后浏览到CertificatesPersonalCertificates，应该有一个发给MyIdsvCertificate.

If you want to check the certificate has been installed correctly, from the Run prompt launch "mmc", go to File, "Add/Remove Snap-in", select "Certificates", click Add, select "Computer account", Next, "Local computer", Finish, OK. Then browse to CertificatesPersonalCertificates, there should be one issued to MyIdsvCertificate.

授予证书权限

创建证书后，您需要向运行 IIS 的任何 Windows 身份(或为您的 IdentityServer 应用程序提供服务的任何身份)授予读取权限，否则您将收到密钥集不存在"的信息.IdentityServer 尝试使用密钥时出错.为此，请找到文件夹 %ALLUSERSPROFILE%MicrosoftCryptoRSAMachineKeys 找到时间戳与您创建证书的时间相匹配的文件，然后授予 读取 访问权限(不需要其他任何东西)到运行 IIS 的 Windows 身份.此问题在在 IdentityServer4 GitHub 问题论坛 上进行了讨论，并由 Brock Allen 和 Dominick Baier 进行了解释.如果您是像 Brock 或 Dominick 这样的天才，那么这种解释可能已经足够了，但是像我这样的傻瓜可能会在 Microsoft 支持站点更有用.

Once the certificate has been created you need to grant read permission to whatever Windows identity is running IIS (or whatever is serving your IdentityServer app) otherwise you get a "Keyset does not exist" error when IdentityServer tries to use the key. To do this locate the folder %ALLUSERSPROFILE%MicrosoftCryptoRSAMachineKeys find the file with a timestamp matching the time you created the certificate, then grant read access (no need for anything else) to the Windows identity running IIS. This issue is discussed on the IdentityServer4 GitHub Issues forum and explained by Brock Allen and Dominick Baier. If you're a genius like Brock or Dominick then that explanation might have been enough, but dummies like me might find the clearer explanation and solution provided to a very similar issue on the Microsoft Support site more useful.

告诉 IdentityServer 使用证书

现在辛苦了.剩下的就是告诉 IdentityServer 在未开发时使用证书:

The hard work is now done. All that remains is to tell IdentityServer to use the certificate when not in development:

    public void ConfigureServices(IServiceCollection services)
    {
        // ...
        // Configure some awesome services
        // ...

        var identityServer = services.AddIdentityServer(...options...)...AddStuff()...;

        if (_env.IsDevelopment())
        {
            identityServer.AddDeveloperSigningCredential();
        }
        else
        {
            identityServer.AddSigningCredential("CN=MyIdsvCertificate");
        }

        // ...
        // Configure more awesome services
        // ...
    }

注意CN="调用 AddSigningCredential() 时需要位，这也花费了我一些时间.我实际上是在运行时从配置文件中获取名称，但我们无需在此处详细介绍.

Note that the "CN=" bit is required in the call to AddSigningCredential(), that cost me some time too. I actually get the name from a config file at runtime, but we don't need to go into those details here.

这篇关于如何创建签名证书并在生产中的 IdentityServer4 中使用它?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！