How do you use Thinktecture IdentityServer 3 with Certificate setup

0
votes

I want to use Thinktecture IdentityServer 3 to provide STS to ASP.NET site but I don't know how to setup the certificates.

How do I use SelfHost (InMem with WS-Fed) Thinktecture Identity Server 3 as STS for a local IIS site?

The problem I have is as follows:

I've used this client in VS Development Server: https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Clients/MvcOwinWsFederation

with the SelfHost (InMem with WS-Fed): IdentityServer3.Samples/tree/master/source/SelfHost%20(InMem%20with%20WS-Fed)

It all works, connects, authenticates and displays claims.

But when I publish the client to local IIS site called WSFedClient and that tries to authenticate against the same self-host STS, but I get this error:

"The remote certificate is invalid according to the validation procedure."

I've followed this: https://github.com/IdentityServer/IdentityServer3/issues/553

...but I'm still confused about what it is I need to do.

3
iiscertificatethinktecture-ident-serveridentityserver3thinktecture
Updated it a bit, let me know if it needs more. Have you worked with this Identity Server much? - JBurns
Not at all ... it really seems like this just comes down a standard cert issue; the cert is failing validation, probably because the CA or root cert isn't in a Trusted Cert store for the machine. Make sense? - Lynn Crumbling
I'm sure you're correct. That's the part I don't understand unfortunately. What kind of cert do I need to make, how do I make it, and where do I then install it? - JBurns
Added an answer -- hope it's helpful. - Lynn Crumbling
Could this be duplicate stackoverflow.com/questions/34942051/… - rawel

3 Answers

0
votes

Try installing your cert into the "Trusted Root Certificate Authorities" store.

1) Launch the mmc. At the start menu, enter MMC.exe and hit enter.

2) Press control-M to add a module. Select Certificates, and click Add.

3) Select Computer account, then Next, select Local Computer, and hit Finish. Then hit OK.

4) Expand Certificates. Right-click on "Trusted Root Certificate Authorities", and select "All tasks", then "Import..."

5) Browse out to the cert and select it. You probably will need to check the box to allow it to be exported, which means you'll probably have to enter the password, which you should know, if you created it.

0
votes

Check following things regarding your certificate. Most probably point # 2 below causing this error.

  1. Check if CA's root certificate exists in Trusted Root Certification Authorities store.
  2. Check "Issued To" field of certificate matches with host name of identity server's endpoint url.
  3. Check expiry date of certificate.
  4. Check if certificate is not revoked by CA.
0
votes

It looks like you must configure SSL endpoint for callback URI as well. That is WSFedClient in your sample.