How to Use IdentityServer in ASP.NET Core with Certificate Signing?

Creating and Adding the Certificate

To create and add a certificate to your machine's certificate store, we will be using the PowerShell New-SelfSignedCertificate applet. This is the recommended method as the previously used MakeCert tool is now deprecated.

Open your PowerShell and run the following command:
New-SelfsignedCertificate
-KeyExportPolicy Exportable
-Subject "CN=MyIdsvCertificate"
-KeySpec Signature
-KeyAlgorithm RSA
-KeyLength 2048
-HashAlgorithm SHA256
-CertStoreLocation "cert:\LocalMachine\My"

This command will create a new self-signed certificate with the subject set to "CN=MyIdsvCertificate" and store it in the local machine's certificate store. To verify if the certificate has been installed correctly, follow these steps:

1.Press Win + R to open the Run prompt.
2. Type mmc and hit Enter.
3. In the MMC window, go to File > Add/Remove Snap-in.
4. Select Certificates and click Add.
5. Choose Computer account, click Next, select Local computer, click Finish, and then click OK.
6. Browse to Certificates > Personal > Certificates. You should see a certificate issued to MyIdsvCertificate.

Granting Permissions of the Certificate

After creating the certificate, you need to grant read permission to the Windows identity running IIS (or the identity serving your Identity Server app). This step is crucial to avoid the "Keyset does not exist" error when Identity Server attempts to use the key.
To grant permissions on the certificate, follow these steps:

1. Locate the folder %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys.
2. Find the file with a timestamp matching the time you created the certificate.
3. Right-click the file and select Properties.
4. Go to the Security tab and click Edit.
5. Add the Windows identity running IIS and grant it Read access.
6. Click OK to save the changes.

If you encounter any issues, you can refer to the IdentityServer4 GitHub Issues forum or the Microsoft Support site for more detailed explanations and solutions.

Configuring IdentityServer to Use the Certificate

Now that the certificate has been created and the necessary permissions have been granted, we can configure Identity Server to use the certificate.
In your ASP.NET Core application, open the Startup.cs file and locate the Configure Services method. Add the following code:

 

public void ConfigureServices(IServiceCollection services)
{
    // ...
    // Configure some awesome services
    // ...

    var identityServer = services.AddIdentityServer(...options...)...AddStuff()...;

    if (_env.IsDevelopment())
    {
        identityServer.AddDeveloperSigningCredential();
    }
    else
    {
        identityServer.AddSigningCredential("CN=MyIdsvCertificate");
    }

    // ...
    // Configure more awesome services
    // ...
}

 

In the code snippet above, we first check if the application is running in the development environment. If it is, we use the AddDeveloperSigningCredential method to add a developer signing credential. This is convenient for development purposes, but should be replaced with a proper certificate in production.

If the application is not in the development environment, we use the AddSigningCredential method and provide the certificate's subject name (CN=MyIdsvCertificate) as the parameter. Remember to replace CN=MyIdsvCertificate with the actual subject name of your certificate. You can also retrieve the name from a config file at runtime if needed.

Verifying the Configuration

To verify if your Identity Server is configured properly, you can navigate to the discovery document URL in your browser. The URL should be in the following format: https://your.domain.com/.well-known/openid-configuration.

When you visit this URL, you should see a JSON document containing various endpoints and configurations related to your Identity Server. This document confirms that your Identity Server is up and running with the correct configurations.

Troubleshooting Common Issues

During the process of creating and configuring the certificate, you may encounter some common issues. Let's take a look at these issues and their possible solutions:

Missing Definition of IdentityServer Type in appsettings.json

If you encounter a NullReferenceException with the message "Object reference not set to an instance of an object" in the

IdentityServerJwtBearerOptionsConfiguration.ResolveAuthorityAndKeysAsync method, it indicates that the definition of the IdentityServer type is missing in the appsettings.json file. Make sure the configuration includes the necessary details such as the client project name and profile.

Invalid Certificate Store Location

If you receive an InvalidOperationException with the message "Invalid certificate store location", it means that the certificate store location specified in the appsettings.json file is incorrect or missing. Double-check the FilePath and ensure it points to the correct location of the certificate file.

Missing Certificate File or Incorrect Password

If you encounter an ArgumentNullException with the message "Value cannot be null" or an InvalidOperationException with the message "There was an error loading the certificate. No password was provided", it suggests that either the certificate file is missing or the password provided is incorrect. Verify the file path and ensure that the correct password is provided in the appsettings.json file.

Incorrect Certificate Password or Insufficient Permissions

If you receive an InvalidOperationException with the message "There was an error loading the certificate. Either the password is incorrect or the process does not have permissions to store the key in the Keyset 'DefaultKeySet'", it indicates that the certificate password is incorrect or the process does not have sufficient permissions to store the key. Check the password and ensure that the process has the necessary permissions.

Temporary Profile or Missing ApplicationPoolIdentityReference

If you encounter an InvalidOperationException with the message "There was an error loading the certificate. Either the password is incorrect or the process does not have permissions to store the key in the Keyset 'DefaultKeySet'" and the description mentions a temporary profile or missing ApplicationPoolIdentityReference, it suggests that the user profile is temporary or the ApplicationPoolIdentityReference is missing. Make sure the user profile is not temporary and that the ApplicationPoolIdentityReference is correctly configured.

By following the steps outlined in this article and troubleshooting common issues, you can successfully use IdentityServer in your ASP.NET Core application with certificate signing. This will enhance the security and authentication capabilities of your application, providing a more robust and reliable user experience.

  • Asp.Net core, ASP.NET Core Web App (C#), core 7, certificate signing, IdentityServer, ASP.NET
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How to publish ASP.NET Core from visual studio 2022 as Self-Contained?

Here is instruction how to publish ASP.NET core with self contained (i.e. where all the...

How to turn off dotnet app by using the App Offline file app_offline.htm?

However,  dotnet application is loading .dll/.exe files in an individual process to run the...

how to create simple webscoket in ASP.NET with SignalR?

1.) Create "ASP.NET Core Web App (C#)" in Visual Studio 2.) Add the SignalR client library In...

How to fix HTTP Error 404 when download static file in ASP.NET core?

You may get an HTTP Error 404 when browsing/downloading a static file like .Apk when the client...

Powered by WHMCompleteSolution