How to configure key settings for IdentityServer in appsettings.json for aspnet core app running on IIS

19
votes

I created the template Angular / ASP.NET Core with authorisation support using this command:

dotnet new angular --auth Individual

This is an:

  • ASP.NET Core 3.0 App with
  • ASP.NET Core Identity for authenticating and storing users,
  • IdentityServer4 for implementing Open ID Connect,
  • Angular SPA,

All pre-configured to work together.

Before I deploy my app based on this template, I'm trying to first deploy this template app to IIS.

I've deployed the app to IIS and have a database setup and the app connected to it just fine, but I'm stuck. I am not sure how to create and configure the production certificate to use for signing tokens.

At this point in the Microsoft docs it briefly mentions "A production certificate to use for signing tokens." and gives and example for deployment to Azure.

How do I create the key in IIS? do you do something here? IIS Server Certificate

Then how do I then add the correct settings to appsettings.json?

"IdentityServer": {
  "Key": {
    "Type": "Store",
    "StoreName": "My",
    "StoreLocation": "CurrentUser",
    "Name": "CN=MyApplication"
  }
}

I'm struggling to find any guides or examples on the net, any help or point in the right direction would be appreciated.

4
asp.net-coreiisssl-certificateidentityserver4
to resolve "Exception Info: System.InvalidOperationException: Couldn't find a valid certificate with subject 'test' on the 'LocalMachine\Personal' " error click start button open and type "Certmgr.msc" or "Manage computer certificates" and check under which section your certificate is stored. - Jalpa Panchal
So this appears to show me Certificates - Current User underwhich I can find the server certificate I made called test under Trusted Root Certification Authorities ... .. however setting Type: Store, StoreName: Trusted Root Certification Authorities, StoreLocation CurrentUser, Name: test also doesn't work... same error. :/ - marno11

4 Answers

12
votes

I also found that the documentation is not comperhensive enough. I managed to deploy the an angular app to azure. Im not sure if it similar to the deployment to IIS. But may be this could help you to find the solution for your problem.

Deployment to Azure:

First you have to upload the (self signed) certificate (.pfx) to azure app service. I used this guide to create self signed certificate.

upload certificate image

You also have to make the certificate available by adding the thumbprint into the application setting. see image.

Adding Certificate thumbprint to app service

Dont forget to update your appsettings.json so your app can access the certificate from the previous step. 

"IdentityServer": {
  "Key": {
    "Type": "Store",
    "StoreName": "My",
    "StoreLocation": "CurrentUser",
    "Name": "CN=yourApp-domain.com"
  }
}

If you encounter problem. Change the environtment variable in appservice to "Development" to see detail information of the error. like this.

change environment variable

6
votes

For now I have worked around this problem by exporting the certificate to a file. Under Server Certificates in IIS you can right-click a certificate and export it.

Then you can configure the key parameters in appsettings.json to reference a file like so:

"Key": {
  "Type": "File",
  "FilePath": "..\\test.pfx",
  "Password": "Test"
}

I would still like to reference a store certificate.

3
votes

So this should fairly straightforward to configure for development purposes. In IIS you can issue yourself a self-signed certificate which will naturally only be valid on your local machine.

Give it some name and if you don't change anything else and click OK, it will by default store the generated certificate in your Personal store for LocalMachine so below config should work:

"IdentityServer": {
  "Key": {
    "Type": "Store",
    "StoreName": "Personal",
    "StoreLocation": "LocalMachine",
    "Name": "YourName"
  }
}

enter image description here

It is worthwhile noting that if you try to import certificate from somewhere else - it must be at least 2048 bit key for Identity Server 4 purposes.

0
votes

Create a new certificate in Powershell as Administrator if you don't have a certificate already:

New-SelfSignedCertificate -DnsName "blazortest" -CertStoreLocation "cert:\CurrentUser\My"

I then used mmc.exe to export the certificate as a .pfx file.

If you host on IIS you need to import the .pfx certificate to the Personal folder for Local Computer and then select Manage Private Keys... and give access to the user running the Application Pool.

enter image description here

Complete answer from other thread with IdentityServerBuilderConfigurationExtensions publish exception:

https://stackoverflow.com/a/66448397/3850405