处理Identity Server客户端凭据流时自签名客户端证书中的问题 [英] Issue in Self Signed Client Certificate while processing an Identity Server Client Credentials Flow
问题描述
我使用MakeCert.exe为我的内部开发目的创建了一个自签名证书
I created a Self Signed Certificate for my internal development purpose using MakeCert.exe
第1步: 我使用以下命令创建了根CA
Step #1: I Created a Root CA using the following Command
makecert -n "CN=Bala root signing authority" -cy authority -r -sv root.pvk root.cer
步骤2 : 使用以下命令安装了在步骤1中创建的根CA证书
Step #2: Installed the Root CA Certificate which is created in Step #1 using the following Command
certutil -user -addstore Root root.cer
第3步: 我使用以下命令创建了客户端证书
Step #3: I Created a Client Certificate using the following Command
makecert -pe -n "CN=Bala Client" -a sha1 -cy end ^ -sky signature ^ -ic root.cer -iv root1.pvk ^ -sv Bala.pvk Bala.cer
第4步:
我使用以下命令为相应的客户端证书创建了.pfx文件
Step #4:
I Created a .pfx file for the respective Client Certificate using the following command
pvk2pfx -pvk Bala.pvk -spc Bala.cer -pfx Bala.pfx
根CA即"CN = Bala根签名授权机构" 具有所有预期用途,并且已安装在 Trusted Root Certification Authorities
The Root CA namely "CN=Bala root signing authority" has all intended purpose and its installed in Trusted Root Certification Authorities
根CA证书快照:"CN = Bala根签名机构"
Snapshot of Root CA Certificate: "CN=Bala root signing authority"
客户端证书快照:"CN = Bala客户端"
Snapshot of Client Certificate: "CN=Bala Client"
客户端证书具有指纹:"83021C2C20096FFD8415A353E471FF1BD39ECA4E"
The Client Certificate has a ThumbPrint: "83021C2C20096FFD8415A353E471FF1BD39ECA4E"
请仔细查看快照:
我的IdentityServer3中有一个客户端,并且使用了相同的指纹"83021C2C20096FFD8415A353E471FF1BD39ECA4E"
I'm having a Client in my IdentityServer3 and I used the Same thumbprint "83021C2C20096FFD8415A353E471FF1BD39ECA4E"
new Client
{
ClientName = "Client Credentials Flow Client With Certificate",
Enabled = true,
ClientId = "cc.WithCertificate",
Flow = Flows.ClientCredentials,
ClientSecrets = new List<Secret>
{
new Secret
{
Value = "83021C2C20096FFD8415A353E471FF1BD39ECA4E",
Type = Constants.SecretTypes.X509CertificateThumbprint,
Description = "Client Certificate"
},
},
AllowedScopes = new List<string>
{
"read"
}
}
客户端控制台应用程序代码为
The Client Console Application Code is
var cert = new X509Certificate2(@"Bala.pfx");
var handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);
string tokenEndPoint = ConfigurationManager.AppSettings["TokenEndpoint"];
var client = new TokenClient(
tokenEndPoint,
"cc.WithCertificate",
handler);
// Calling the Token Service
var response = client.RequestClientCredentialsAsync("read").Result;
响应对象的快照:
执行代码后,我将收到带有错误状态代码的响应:response.Error ="Forbidden"
Once I execute the code I'm getting the response with an Error Status Code: response.Error ="Forbidden"
我遵循了上一个问题中所说的所有按请求设置错误.禁止"错误在IdentityServer3 Flows.ClientCredentials
I followed all the per-requesite setup which is said in my previous question response.Error "Forbidden" in IdentityServer3 Flows.ClientCredentials
请帮助我如何使用 Self Signed Certificate 对应用程序进行身份验证.
Kindly assist me how to Authenticate the application using Self Signed Certificate.
推荐答案
经过长时间的努力,我找到了解决此问题的方法(自签名证书).有一种方法可以使用Identity Server中的自签名证书来基于客户端证书对用户进行身份验证.
I found the solution for this issue (Self Signed Certificate) after a long struggle. There is a way to use the Self Signed Certificate in an Identity Server for authenticating user based on Client Certificate.
在Identity Server中,我们使用证书来生成令牌(默认情况下,我们使用idsrv3test.pfx),在客户端应用程序中,我们使用证书Client.pfx(默认情况下).我研究了其背后的逻辑,发现这两个证书的解决方案具有通用的颁发者" DevRoot ".仅当DevRoot位于受信任的根证书颁发机构中时,Identity Server才基于客户端证书返回令牌,否则 IIS不应允许该请求,并以状态代码403 Forbidden 返回.
In the Identity Server, we are using a Certificate for generating Tokens (by default we are using idsrv3test.pfx) and in Client Application we are using the Certificate Client.pfx (by default). I researched the logic behind in this, I found the solution these two certificates has a common Issuer "DevRoot". The Identity Server return the Token based on Client Certificate only if the DevRoot is in Trusted Root Certification Authorities otherwise the IIS should not allow the request and return back with status code 403 Forbidden.
场景1 :
场景#2 :
我遵循相同的逻辑,我创建了根CA证书.此外,我创建了服务器和客户端证书,并将这些证书与根CA证书(即父级)进行了映射.证书应具有以下目的
I followed the same logic, I created a Root CA Certificate. Moreover I created Server and Client Certificate and I mapped those certificate with the Root CA Certificate (i.e., Parent). The Certificates should have the following purpose
- 根CA证书=>通用或服务器身份验证和客户端身份验证的组合
- 服务器证书=>仅用于服务器身份验证
- 客户证书=>仅客户
注意:有关预期目的的更多信息,请参阅 http://www.alvestrand.no/objectid/1.3.6.1. 5.5.7.3.html
Note: For more information about Intended Purpose, refer http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html
服务器和客户端证书应为.pfx文件格式.让我们看看如何创建所述证书
The Server and Client Certificate should be in .pfx file format. Let us see how to create the said Certificates
在执行以下命令之前,请确保系统中已存在必备工具
Ensure the Prerequisite Tools is exist in your System before executing the following Command
- 安装最新的.Net Framework https://www.microsoft.com/net/download
- 安装适用于Windows 7和.NET的最新Microsoft Windows SDK 框架4 https://www.microsoft.com/zh-我们/download/details.aspx?id=8279
- Install the latest .Net Framework https://www.microsoft.com/net/download
- Install the Latest Microsoft Windows SDK for Windows 7 and .NET Framework 4 https://www.microsoft.com/en-us/download/details.aspx?id=8279
步骤:#1
我们需要创建CA,服务和客户端证书以及私钥
We need to Create a Certificates of CA, Service and Client along with Private Key
证书颁发机构
makecert -r -pe -n "CN=Token Root CA"
-sr LocalMachine -a sha1 -sky signature -cy authority -sv
"D:\Certificate\IDRootCA.pvk" "D:\Certificate\IDRootCA.cer"
服务器证书
makecert -pe -n "CN=Server - Token Identity" -a sha1 -sky exchange
-eku 1.3.6.1.5.5.7.3.1 -ic "D:\Certificate\IDRootCA.cer" -iv
"D:\Certificate\IDRootCA.pvk" -sv "D:\Certificate\IDServer.pvk" "D:\Certificate\IDServer.cer"
客户证书
makecert -pe -n "CN=Client - Token Identity" -a sha1 -sky exchange
-eku 1.3.6.1.5.5.7.3.2 -ic "D:\Certificate\IDRootCA.cer" -iv
"D:\Certificate\IDRootCA.pvk" -sv "D:\Certificate\IDClient.pvk" "D:\Certificate\IDClient.cer"
步骤:#2
我们需要导出PFX的服务和客户证书文件
We need to Export the PFX's file of Service and Client certificate
服务证书(PFX格式)
pvk2pfx -pvk "D:\Certificate\IDServer.pvk" -spc "D:\Certificate\IDServer.cer"
-pfx "D:\Certificate\IDServer.pfx"
客户证书(PFX格式)
pvk2pfx -pvk "D:\Certificate\IDClient.pvk" -spc "D:\Certificate\IDClient.cer"
-pfx "D:\Certificate\IDClient.pfx"
步骤:#3
我们需要将CA导入受信任的根证书颁发机构的证书存储区
We need to Import CA into Trusted Root Certification Authorities certificate store
导入证书颁发机构"CN=Token Root CA"
certutil -user -addstore Root "D:\Certificate\IDRootCA.cer"
注意:在这里,我仅为当前用户"-user"导入证书. 有关更多详细信息,请参阅 http://certificate.fyicenter.com/685_Microsoft_CertUtil_Microsoft_certutil_-user_Certificate_St.html
Note: Here I import the Certificate only for the current user "-user". For more details refer http://certificate.fyicenter.com/685_Microsoft_CertUtil_Microsoft_certutil_-user_Certificate_St.html
在管理员模式下使用命令提示符执行上述所有命令,并将路径导航到"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin".所述路径应包含 MakeCert.exe 文件(确保一次)
Execute all the above said commands using Command Prompt in Administrator Mode and navigate the path to "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin". The said path should contain the MakeCert.exe file (Ensure it once)
上述命令将创建所有必需的身份服务器证书
The above said Commands will create all the required Certificates of Identity Server
身份服务器项目:
请使用服务器证书 "IDServer.pfx" 代替 "idsrv3test.pfx" ,然后在Certificates.cs和Web.config中更改相同的内容.
Identity Server Project:
Kindly use the Server Certificate "IDServer.pfx" instead of "idsrv3test.pfx" and Change the same in Certificates.cs and Web.config.
注意:此自签名的私钥不是必需的 证书.
Note: The Private key is not required for this Self signed Certificate.
最后,客户端控制台应用程序代码为
Finally the Client Console Application Code is
var cert = new X509Certificate2(@"IDClient.pfx");
var handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);
string tokenEndPoint = ConfigurationManager.AppSettings["TokenEndpoint"];
var client = new TokenClient(
tokenEndPoint,
"cc.WithCertificate",
handler);
// Calling the Token Service
var response = client.RequestClientCredentialsAsync("read").Result;
最后我成功获得了访问令牌
Finally I got the Access Token Successfully
这篇关于处理Identity Server客户端凭据流时自签名客户端证书中的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
