Getting ready to move our IdentityServer4 setup from dev to test and I need to get the AddSignerCredentials() piece migrated from AddDeveloperCredentials(). I can generate a private and public RSASecurityKey but I'm unclear as to what RsaSecurityKey to pass to AddSignerCredentials(). The discovery endpoint somehow knows about the public key, but we'd want to sign tokens with the private key. Neither seems to work
Is there an example of how to use this somewhere in the documentation that I missed?
Use openSSL to create the certificate using the following demo command in your command prompt:
->OpenSSL req -x509 -newkey rsa:4096 -sha256 -nodes -keyout
IdentityServer4.key -out IdentityServer4.crt -subj
"/CN=IdentityServer4.com" -days 3650
->OpenSSL pkcs12 -export -out IdentityServer4.pfx -inkey
IdentityServer4.key -in IdentityServer4.crt -certfile IdentityServer4.crt
Install that certificate to your current user profile.
Replace
AddDeveloperSigningCredential()
with
AddSigningCredential("ThumbprintOfCertificate", StoreLocation.CurrentUser,NameType.Thumbprint)
That's it.
Related
What I have done?
Genrared SSL Root Certificate and normal certificate and sign is using root crt and OpenSSL from batch code:
openssl req -x509 -newkey rsa:4096 -days 1825 -keyout ca-key.pem -out ca-cert.pem
openssl req -newkey rsa:4096 -keyout server-key.pem -out server-req.pem
openssl x509 -req -in server-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
What is the issue?
Then I open signed server certificate it don't show chain that lead to Root certificate.
For what result I am looking?
Fix/New openssl command or any other thing that would chain thoose certificate and can be done using batch script.
Solution should looks like this:
(But in certificate path in image 1 you cann't see the root one.)
ps: YouTube tutorial I was using.
Certificate was detected as self-signed and Root CA wasn't installed
I'm setting up a https certificate for my react web page using create-react-app, and I've managed to make it work using an autosigned rsa certificate but not with an elliptic curve autosigned certificate (nor with a real certificate using ec signed by a ca).
I've made .key and .crt with openssl:
rsa (works):
openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out my_rsa.crt -keyout my_rsa.key
ecc (does not work):
openssl ecparam -genkey -name secp384r1 | openssl ec -out my_ecc.key && openssl req -x509 -new -key my_ecc.key -out my_ecc.crt
Also i've made a signed by ca certificate with elliptic curve as explained in:
https://www.namecheap.com/support/knowledgebase/article.aspx/9446/14/generating-csr-on-apache-opensslmodsslnginx-heroku/
But it's not working either.
I'm using a .env.development file with the enviroment variables:
HTTPS=true
SSL_CRT_FILE=../../.ssl/my_.xxx.crt
SSL_KEY_FILE=../../.ssl/my_xxx.key
but when trying execute npm start y get this error:
The certificate "/home/ba/.ssl/my_ecc.crt" is invalid.
error:0608B096:digital envelope routines:EVP_PKEY_encrypt_init:operation not supported for this keytype
Any help?
Thanks.
I created a self signed openssl certificate using the below commads.
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key
openssl req -sha256 -new -key server.key -out server.csr -subj '/CN=localhost'
openssl x509 -req -sha256 -days 10 -in server.csr -signkey server.key -out
cat server.crt server.key > cert.pem
Using the cert.pem and RSA_sign function I created a signature after the certificate expired ( after 10 days )
The RSA_verify of the above signature still succeeds. Can you help me with this?
Best regards,
Poornima.M
RSA_verify() will verify the signature taking the rsa public key, it does not deal with the public key certificate.
Public key and the key certificate are not the same thing, public key resides in public key certificate. So when you extracted public key from the certificate there only you have to check if its expired or not and avoid using it if its expired
I'm currently inside the 30-day free trial for Google Apps for business (billing set up, so will start non-free trial soon). I'm attempting to set up SSL for a custom domain for a Google App Engine app, but am a bit of a noob at this stuff and the files I've accumulated aren't accepted by the Apps submission form.
I went through the following process:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
After filling in the cert. request information (with name www.mydomain.com), I had the two files CSR.csr and privateKey.key.
I used an SSL provider CheapSSLs.com to provide me with a certificate off this CSR.csr, and they've responded with a cert www_mydomain_com.crt.
However, on going through Google Apps Dashboard -> Security -> SSL for Custom Domains and uploading www_mydomain_com.crt and privateKey.key I'm given the error:
Both the private key and SSL certificate should be in unencrypted PEM format.
Any help? As far as I can tell, they are in that format: the private Key looks like:
-----BEGIN PRIVATE KEY-----
MIIEv...
...
...CftTU=
-----END PRIVATE KEY-----
and the .crt file looks like:
-----BEGIN CERTIFICATE-----
MIIFy...
...
...WJjk=
-----END CERTIFICATE-----
This was answered by a friendly member of the community and then immediately deleted (not sure why...) but not before I spotted his answer and used it, to great effect :)
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem
The above two commands produce private.pem and public.pem, which are accepted fine by Google Apps dashboard.
Thank you!
For me, it was because my private.key was in the wrong format.
If your key starts with ---BEGIN PRIVATE KEY--- then you need to convert it to an RSA key.
openssl rsa -in private.key -out private_rsa.key
Then you should see ---BEGIN RSA PRIVATE KEY--- at the beginning of the private_rsa.key which you use with GAE.
Generate a new 2048-bit RSA key:
openssl genrsa -out myServer.key 2048
Convert an existing key to RSA:
openssl rsa -in myServer.key -out myServer-rsa.key
I'm currently inside the 30-day free trial for Google Apps for business (billing set up, so will start non-free trial soon). I'm attempting to set up SSL for a custom domain for a Google App Engine app, but am a bit of a noob at this stuff and the files I've accumulated aren't accepted by the Apps submission form.
I went through the following process:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
After filling in the cert. request information (with name www.mydomain.com), I had the two files CSR.csr and privateKey.key.
I used an SSL provider CheapSSLs.com to provide me with a certificate off this CSR.csr, and they've responded with a cert www_mydomain_com.crt.
However, on going through Google Apps Dashboard -> Security -> SSL for Custom Domains and uploading www_mydomain_com.crt and privateKey.key I'm given the error:
Both the private key and SSL certificate should be in unencrypted PEM format.
Any help? As far as I can tell, they are in that format: the private Key looks like:
-----BEGIN PRIVATE KEY-----
MIIEv...
...
...CftTU=
-----END PRIVATE KEY-----
and the .crt file looks like:
-----BEGIN CERTIFICATE-----
MIIFy...
...
...WJjk=
-----END CERTIFICATE-----
This was answered by a friendly member of the community and then immediately deleted (not sure why...) but not before I spotted his answer and used it, to great effect :)
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem
The above two commands produce private.pem and public.pem, which are accepted fine by Google Apps dashboard.
Thank you!
For me, it was because my private.key was in the wrong format.
If your key starts with ---BEGIN PRIVATE KEY--- then you need to convert it to an RSA key.
openssl rsa -in private.key -out private_rsa.key
Then you should see ---BEGIN RSA PRIVATE KEY--- at the beginning of the private_rsa.key which you use with GAE.
Generate a new 2048-bit RSA key:
openssl genrsa -out myServer.key 2048
Convert an existing key to RSA:
openssl rsa -in myServer.key -out myServer-rsa.key