21

In the identity server samples we find code like this in Startup.cs

var certFile = env.ApplicationBasePath + "\\idsrv3test.pfx";

var signingCertificate = new X509Certificate2(certFile, "idsrv3test");

How would I go about replacing this for production scenarios?

sunil
  • 5,078
  • 6
  • 28
  • 33

4 Answers4

16

For the record, the code proposed in the image posted by RuSs:

options.SigningCertificate = LoadCertificate();

public X509Certificate2 LoadCertificate()
{
    string thumbPrint = "104A19DB7AEA7B438F553461D8155C65BBD6E2C0";
    // Starting with the .NET Framework 4.6, X509Store implements IDisposable.
    // On older .NET, store.Close should be called.
    using (var store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
    {
        store.Open(OpenFlags.ReadOnly);
        var certCollection = store.Certificates.Find(X509FindType.FindByThumbprint, thumbPrint, validOnly: false);
        if (certCollection.Count == 0)
            throw new Exception("No certificate found containing the specified thumbprint.");

        return certCollection[0];
    }
}
Eric Boumendil
  • 2,318
  • 1
  • 27
  • 32
  • 2
    in In .NET 4.6 `X509Store` implementing `IDisposable` so do not need `store.Close()`. More details here http://stackoverflow.com/questions/18475558/what-is-the-implication-of-not-using-x509store-close-method – angularrocks.com Mar 21 '17 at 22:33
12

Get a dedicated cert - either via your PKI or self-generate one:

http://brockallen.com/2015/06/01/makecert-and-creating-ssl-or-signing-certificates/

Import the key pair into the Windows certificate store, and load it from there at runtime.

To step up security, some people deploy the keys to a dedicated device (called an HSM) or to a dedicated machine (e.g. behind a firewall). The ITokenSigningService allows moving the actual token signing to that separate machine.

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
9

Recently I decided to revamp my token signing issuing process. If you're running Windows 10, you can use the awesome powershell cmdlet called New-SelfSignedCertificate.

Here is my example usage:

    New-SelfSignedCertificate -Type Custom
 -Subject "CN=TokenSigningForIdServer"
 -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3")
 -KeyUsage DigitalSignature
 -KeyAlgorithm RSA 
 -KeyLength 2048
 -CertStoreLocation "Cert:\LocalMachine\My"

Make sure you are running the command as an admin. You can obtain the certificate details by opening certlm.msc. It should be stored below Personal\Certificates.

Most of the flags should be obvious, apart from the -TextExtention one. It specifies that an Enhaced Key Usage field is set to the "Code Signing" value. You can play around with the algorithm used, key length, even add extentisons by refering to the following documentation page.

Evdzhan Mustafa
  • 3,645
  • 1
  • 24
  • 40
6

Here is how I load it from a thumbprint in my config: Click here to see image

RuSs
  • 1,725
  • 1
  • 29
  • 47