1. 首页
  2. 问答
  3. IdentityServer4:如何从加载证书存储签名证书时,在泊坞

IdentityServer4:如何从加载证书存储签名证书时,在泊坞

2017-04-07 73 views
7

我们有一个基于IdentityServer4-STS在Windows上,在签名证书已安装到本地计算机,在个人>证书,.CER .PFX成功运行在“受信任的人”>“证书”下。我们就能够通过它的通用名来加载签名证书如下:IdentityServer4:如何从加载证书存储签名证书时,在泊坞

services.AddIdentityServer() 
    .AddSigningCredential("CN=CERT_NAME") 
    ...

我们现在是想运行我们的码头工人,容器内的STS实施,并已运行到以下异常:

Unhandled Exception: System.PlatformNotSupportedException: Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores. 
    at Internal.Cryptography.Pal.StorePal.FromSystemStore(String storeName, StoreLocation storeLocation, OpenFlags openFlags) 
    at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags) 
    at IdentityModel.X509CertificatesFinder.Find(Object findValue, Boolean validOnly) 
    at Microsoft.Extensions.DependencyInjection.IdentityServerBuilderExtensionsCrypto.AddSigningCredential(IIdentityServerBuilder builder, String name, StoreLocation location, NameType nameType)

根据上述错误消息以及我们在此处使用的AddSigningCredential方法的来源:https://github.com/IdentityServer/IdentityServer4/blob/ec17672d27f9bed42f9110d73755170ee9265116/src/IdentityServer4/Configuration/DependencyInjection/BuilderExtensions/Crypto.cs#L73,似乎显然我们的问题是IdentityServer4正在本地计算机的个人(“我的”)商店中查找证书但是,根据错误消息,这种存储在Unix环境中不可用。

所以,我很好奇,想知道是否存在用于装载的IdentityServer4签名证书在Docker容器的一些最佳实践,如果它是不可能通过名称或指纹加载它。唯一的选择是将证书绑定到我们的应用程序中,然后通过文件名加载它?

感谢所有帮助您可以提供!

来源

2017-04-07 Sean

+1

嗨肖恩你解决了这个问题? – xszaboj

+0

@xszaboj看来,它在.NET的Core 2(至少CurrentUser \我的)真实实现,见https://github.com/aspnet/DataProtection/issues/125。这不是LocalMachine \ My的情况 – Bidou

回答

0

我正在开发Windows机器上我用下面的代码从商店获得证书

X509Certificate2 cert = null; 

X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); 
      certStore.Open(OpenFlags.ReadOnly); 

X509Certificate2Collection certCollection = certStore.Certificates.Find(
         X509FindType.FindByThumbprint, 
         "‎thumbprint", 
         false); 
if (certCollection.Count > 0) 
    { 
     cert = certCollection[0]; 
     Log.Logger.Information($"Successfully loaded cert from registry: {cert.Thumbprint}"); 

    } 
    if (cert == null) // Fallback 
    { 
     cert = new X509Certificate2(Path.Combine(_env.ContentRootPath, "certificate.pfx"), "password"); 
     //Log.Logger.Information($"Falling back to cert from file. Successfully loaded: {cert.Thumbprint}"); 
    } 
    else 
    { 
     certStore.Dispose(); 
    }

来源

2017-09-05 16:01:49

相关问题

 相关问题