IdentityServer4:在Docker中时如何从证书存储加载签名证书 [英] IdentityServer4: How to load Signing Credential from Cert Store when in Docker

问题描述

我们有一个基于IdentityServer4的STS在Windows上成功运行，其中在个人>"下使用.pfx将签名凭据安装到本地计算机.受信任的人"下的证书和.cer>证书.我们是然后可以按其通用名称加载签名凭证，如下所示:

We have an IdentityServer4-based STS successfully running on Windows, where the Signing Credential has been installed to the Local Computer with .pfx under Personal > Certificates, and .cer under Trusted People > Certificates. We are then able to load the Signing Credential by its Common Name as follows:

services.AddIdentityServer()
    .AddSigningCredential("CN=CERT_NAME")
    ...

我们现在想在Docker容器中运行我们的STS实现，并且遇到了以下异常:

We are now wanting to run our STS implementation within a Docker container, and have been running into the following exception:

Unhandled Exception: System.PlatformNotSupportedException: Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores.
   at Internal.Cryptography.Pal.StorePal.FromSystemStore(String storeName, StoreLocation storeLocation, OpenFlags openFlags)
   at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags)
   at IdentityModel.X509CertificatesFinder.Find(Object findValue, Boolean validOnly)
   at Microsoft.Extensions.DependencyInjection.IdentityServerBuilderExtensionsCrypto.AddSigningCredential(IIdentityServerBuilder builder, String name, StoreLocation location, NameType nameType)

基于上述错误消息以及我们在此处使用的AddSigningCredential方法的来源:

Based on the above error message, and the source for the AddSigningCredential method we're using here: https://github.com/IdentityServer/IdentityServer4/blob/ec17672d27f9bed42f9110d73755170ee9265116/src/IdentityServer4/Configuration/DependencyInjection/BuilderExtensions/Crypto.cs#L73, it seems apparent that our issue is that IdentityServer4 is looking for the certificate in the Local Machine's Personal ("My") store, however, such a store is not available within Unix environments as per the error message.

所以，我很想知道是否存在一些最佳实践，以便无法通过名称或指纹来加载IdentityServer4的签名凭证到Docker容器中.唯一的选择是将证书与我们的应用程序捆绑在一起，然后按文件名加载它吗?

So, I'm curious to know if some best practice exists for loading the Signing Credential for IdentityServer4 in Docker containers, if it isn't possible to load it by name or fingerprint. Would the only option be to bundle the certificate in with our application, then load it by filename?

推荐答案

在使用Docker容器和IdentityServer时，基本上有两个选择:

When you use Docker containers and IdentityServer basically you have two options:

• 将证书添加到容器映像中( COPY certificate.pfx.)
• 将证书安装到容器中( -v/path/to/certificate.pfx:/certificate.pfx)

无论选择什么选项，唯一需要做的就是将以下配置代码添加到 Startup

Whatever option you choose, the only thing you need is to add the following configuration code to ConfigureServices in Startup

var identityServerBuilder = services.AddIdentityServer();
/* store configuration and etc. is omitted */
if (_hostingEnvironment.IsDevelopment())
{
    identityServerBuilder.AddDeveloperSigningCredential();
}
else
{
    var certificate = new X509Certificate2("certificate.pfx", "certificate_password");
    identityServerBuilder.AddSigningCredential(certificate);
}

从配置，环境变量或机密存储中读取证书密码也是一个好主意.

Also it would be a good idea to read certificate password from configuration, environment variable or secrets storage.

这篇关于IdentityServer4:在Docker中时如何从证书存储加载签名证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！