I'm trying to implement SSO SAML authentication in .Net Core 3.1 with Azure AD
Following this Guid Here
My questions are:
Can I remove the code that refers to SigningCertificatePassword (.pfx file) and add reference to my .cer file because Azure Ad only Give .cer/.pem files and while ITfoxtec SAML 2.0 only support .PFX file so How can I convert those files?
A PFX is a complete bundle (Keystore) consisting of a certificate and its private key. So if you have got both then you can add those entities to the Keystore.
openssl pkcs12 -inkey private_key.pem -in certificate.cert -export -out keystore.pfx
A PXT certificate contain both the privat and public key. a DER certificate only contain the public key.
You need to create you own PXT certificate for your application or possible use the same certificated used for TLS/SSL.
.NET sample code which show how to create a certificate in .NET:
https://github.com/ITfoxtec/FoxIDs.Samples/blob/b6dd1f8211015a5b366ce2b062dde481e38848fc/src/FoxIDs.SampleHelperLibrary/TestCertificate.cs
using (var rsa = RSA.Create(2048))
{
var certRequest = new CertificateRequest(
$"CN={cn}, O=FoxIDs",
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
certRequest.CertificateExtensions.Add(
new X509BasicConstraintsExtension(false, false, 0, false));
certRequest.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(certRequest.PublicKey, false));
certRequest.CertificateExtensions.Add(
new X509KeyUsageExtension(
X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyAgreement,
false));
var now = DateTimeOffset.UtcNow;
var cert = certRequest.CreateSelfSigned(now.AddDays(-1), now.AddYears(100));
File.WriteAllBytes(PfxFile(path, cn), cert.Export(X509ContentType.Pfx));
File.WriteAllBytes(CrtFile(path, cn), cert.Export(X509ContentType.Cert));
}
Related
I am new in IdentityServer4 and trying to create JSON Web token. For development I have used AddDeveloperSigningCredential but for other environments I need to use AddSigningCredential but I do not know how to get certificate. I don't have any certificate actually and not sure how can I generate it? Can anyone provide some inputs how to generate certificate and use with AddSigningCredential and then after creation of token, how can I validate token using same certificate in API
After generation of certificate as described in comments. I have added following code
Code in identity server
services.AddIdentityServer() .AddAspNetIdentity() .AddConfigurationStore(options => { options.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, opt => opt.MigrationsAssembly(migrationAssembly)); }) .AddOperationalStore(options => { options.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, opt => opt.MigrationsAssembly(migrationAssembly)); }) .AddSigningCredential(certificate);
Code in API
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer(options => { options.Authority = "localhost:44339"; });
Issuer is
{"issuer":"localhost:44339","jwks_uri":"https://…" I have fetched this information from
https://localhost:44339/.well-known/openid-configuration
I am getting 401 error in postman and getting error is WWW-Authenticate: Bearer error="invalid_token", error_description="The audience 'policyservice' is invalid"
You can use any tool that can generate a private/public key pair.
In the example below I use openssl.
First we create a RSA private key:
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes256 -out rsa-private-key.pem
Then you can create a certificate using :
openssl req -new -x509 -key rsa-private-key.pem -days 365 -subj "/CN=MyRSACert" -out rsa-cert.crt
Then you can package up the cert and private key into a .pfx file:
openssl pkcs12 -export -inkey rsa-private-key.pem -in rsa-cert.crt -out rsa.pfx
Then in code you can load the cert using:
var rsaCert = new X509Certificate2("rs256.pfx", "yourpassword");
Then to add it to IdentityServer you can use:
services.AddIdentityServer()
...
.AddSigningCredential(rsaCert)
I am getting error: "javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null" while running the java application on my local machine.
I have created the key stores like following and added the jks file in classpath. Still the error is not resolved.
#Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:samlKeystore.jks");
String storePass = "password";
Map<String, String> passwords = new HashMap<String, String>();
passwords.put("username", "password");
String defaultKey = "username";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
Can anyone please help me with it ?
I am using Spring SAML as service provider and Salesforce as IdP.
This is probably because the certificate is self-signed. For test purposes you can add your local CA to the trusted authorities:
keytool -list -keystore [...]/jre/lib/security/cacerts
For production the certificate should be signed by a recognised authority.
I'm trying to make a client connect to some servers via https, using openssl library.
The call stack is something like this:
SSL_library_init();
SSL_load_error_strings();
SSL_CTX *ctx = SSL_CTX_new(TLSv1_method());
SSL_CTX_load_verify_locations(ctx, "file_with_trusted_certificates", NULL);
SSL *ssl = SSL_new(ctx);
BIO *bio = BIO_new_socket(...);
SSL_set_bio(ssl, bio, bio);
SSL_connect(ssl);
SSL_get_verify_result(ssl);
I have 2 servers with ssl certificates, which I have extracted using openssl tool and put into "file_with_trusted_certificates" file:
openssl s_client -showcerts -connect server_url:443
The problem is the following: one server is validated (though if not using file_with_trusted_certificates it fails with error 19: self signed certificate in certificate chain), but the check of the second server always fails with error 20: unable to get local issuer certificate. When passing
"-CAfile file_with_trusted_certificates"
to openssl tool, both servers get validated.
What I am doing wrong, why doesn't the second server also get validated?
The servers have different ciphers, and the one that succeeds has secure renegotiation enabled.
EDIT:
The C client runs on a arm device, which has libssl v0.9.8. The openssl tool run on the embedded device yields the same result as the C application: error 20 for first server and OK for the other. Using a linux environment, the openssl tool yield OK for both server, but then, maybe the version of the C application would do the same.
After some trial-error, I managed to find the problem.
I needed to add the certificate of the issuer of the root certificate in the chain in "file_with_trusted_certificates" file, but I added just the root certificate in the chain:
Common name: Baltimore CyberTrust Root -> I added this
Issuer: GTE CyberTrust Global Root -> I needed to add the certificate of this
Interestingly, it was working for the other server because the root certificate in the chain was self-signed and authorized:
Common name: AddTrust External CA Root
Issuer: AddTrust External CA Root
In order to enable SSL in Appengine.
I try to enable SSL for my custom domain
So far I found this article:
setup SSL on AppEngine... Assigned URLs "empty"
openssl genrsa -out rsaprivkey.pem 1024
openssl req -new -x509 -key rsaprivkey.pem -out dsacert.pem
then I uploaded the generated .pem to google app SSL setting page
dsacert.pem > PEM encoded X.509 certificate
rsaprivkey.pem > Unencrypted PEM encoded RSA private key
However, I got this error message after Upload.
What should I do next?
Domain name in certificate should only contain allowed characters (RFC
1034).
Solve!
It this article
setup SSL on AppEngine... Assigned URLs "empty"
when open ssl asks you questions for your app's name, make sure to
include the entire url as in your answer, www.abc.com to secure
https://www.abc.com
But I didn't find any place to enter my app's name during the openssl pem generation at first.
finally I find out the domain should be filled in organization and common name fields.
http://www.rackspace.com/knowledge_center/article/generate-a-csr-with-openssl
Organization Name (eg, company) [Internet Widgits Pty Ltd]: > example.com
Common Name (eg, YOUR name) > *.example.com
Google just announced SSL support for custom domain but I can't understand how it can be set-up as there is no way to generate Certificate Signing Request (CSR) on GAE ?!
http://support.google.com/a/bin/answer.py?hl=en&hlrm=en&answer=2644386
Am I missing something ?
To expand on the above:
The following three steps should be sufficient to generate a private key and a self-signed certificate suitable for testing SSL on GAE on a linux box:
openssl genrsa -out yourdomain.com.key 1024
openssl req -new -key yourdomain.com.key -out yourdomain.com.csr
openssl x509 -req -days 365 -in yourdomain.com.csr -signkey yourdomain.com.key -out yourdomain.com.crt
Disclaimer: It works but I do not know what I'm doing
Various programs exist to create a Certificate Signing Request (CSR.) I used 'openssl' on a linux machine to generate the Key and CSR.
1) I generated an Unencrypted PEM encoded RSA private key as specified by Google's SSL for a Custom Domain (https://cloud.google.com/appengine/docs/ssl)
cd $HOME
openssl genrsa -out rsa_private_key.key 2048
2) Use the 'rsa_private_key.key' to generate the required Certificate Signing Request (CSR) file.
openssl req -new -key rsa_private_key.key -out request.csr
You will be asked the following questions:
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Illinois
Locality Name (eg, city) []: Chicago
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Chicago Company, Ltd.
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: checkout.customedomain.com
Email Address []:
I ignored two additional questions and everything worked fine. The 'request.csr' located on your home directory ($HOME) is the CSR file needed by the Certificate Authority provider to generate your certificate(s). Again, it doesn't have to be openssl: Many tools for various platforms are supported by providers. Just keep in mind Google's requirements.
A side note regarding Custom Domains:
Make sure your CUSTOM DOMAIN includes a subdomain or 'Full Qualified Domain Name.' The 'www.' is considered a subdomain and it's ALWAYS required for ssl in Google Appengine (10/2014.) So in my example if I wanted SSL at customedomain.com I would add 'www.customedomain.com' You can re-direct your naked domain to your Full Qualified Domain Name.
Google Appengine DOES NOT provide SSL support for naked domains like: https://customedomain.com
This is reposted from my answer at:
How to get .pem file from .key and .crt files?
I was trying to go from godaddy to app engine. What did the trick was using this line in the terminal (mac) to generate the the key and csr:
openssl req -new -newkey rsa:2048 -nodes -keyout name.unencrypted.priv.key -out name.csr
Exactly as is, but replacing name with my domain name (not that it really even mattered)
Also, what follows that is a bunch of questions and I answered all the questions pertaining to common name / organization as www.name.com , and I skipped the pass code and company name by just pressing enter
Then I opened the .csr file, copied it, pasted it in go daddy's csr form, waited for godaddy to approve it, then downloaded it, unzipped it, navigated to the unzipped folder in the terminal and entered:
cat otherfilegodaddygivesyou.crt gd_bundle-g2-g1.crt > name.crt
Then I used these instructions from the post Trouble with Google Apps Custom Domain SSL, which were:
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem
exactly as is, except instead of privateKey.key I used name.unencrypted.priv.key, and instead of www_mydomain_com.crt, I used name.crt
Then I uploaded the public.pem to the admin console for the "PEM encoded X.509 certificate",
and uploaded the private.pem for the "Unencrypted PEM encoded RSA private key"..
.. And that finally worked.
You need to generate a certificate with a CA and upload it. They aren't offering certificate creation as a service.