-
-
Notifications
You must be signed in to change notification settings - Fork 491
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question on Certificate.pfx and Azure #976
Comments
Don't reuse the certificate sample, it would make your application vulnerable. You have multiple options when it comes to generating/storing certificates/raw keys on Azure:
To generate a X.509 certificate locally, you can create a tiny console app and use the new
|
Thank you @kevinchalet for detailed answer. I have this question I'd like to ask, when you do a File New Project on a Blazor WebAssembly project with Individual User Accounts, it puts the server and client code in the same project. Part of app is the wasm SPA and when you register or login user in it redirects you to the views from the /Identity folder. In that sample I don't see it's doing any certificate creation or signing, so is it doing everything implicit internally or is this step optional in certain setup? Am I missing something? |
The VS templates use IdentityServer4 with a custom layer on top of it. That layer creates a "development" RSA key for you and persists it in |
I see that Azure now provides free TLS/SSL certificate, could I create and use this same certificate for both token Encryption and Sigining? |
Technically, nothing prevents you from doing that, but I strongly encourage you to use self-signed certificates dedicated to this purpose, instead of trying to reuse a TLS certificate, free or not. |
I am trying to deploy the same in azure app service (Linux). even after adding the thumbprint I am getting the following exception.
|
Hi! Just curious what the problem with this might be. Will the cert be loaded and decrypted per request, or just at startup of the application? If it's the latter case, then that won't happen too often and would be fine in our case. |
Hello, It seems to me that this would be the best option:
However, the local generation requires an expiration date to be set:
Does this mean I need to perform this step again in 2 years from now and upload the new certificate to the Azure platform? It would be very nice to not have to do that. Is there a recommendation for that case? Thanks you. |
This comment was marked as off-topic.
This comment was marked as off-topic.
Am having below error. Have added the cert file on the web root server 2022-10-11 20:01:14.125 +03:00 [INF] Starting web host. |
@dicksonkimeu https://support.abp.io/QA/Questions/3537/OpenIddict-WindowsCryptographicException-Access-is-denied should put you on the right track 😃 |
@dicksonkimeu FYI I updated the OpenIddict documentation to mention more clearly that the development certificates feature is not meant to be used on IIS/Azure App Service (https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html#registering-a-development-certificate) and I'll see with the ABP team whether they can also mention that in the ABP documentation: abpframework/abp#14312 |
Hi, i have a similar problem I don't have a clear error message, only lines with incorrect cert are displayed in the AppService console. do you have an idea?
Error message : Unhandled exception. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The specified network password is not correct. |
I created an SSL with openssl
Then I applied the openssl pkcs12 command to export the pfx file from the key and pem files.
I keep the resulting pfx file in the project. When I defined the certificate on the OpenId Server side as follows, the Client Api was able to send the auth code and receive the token.
Is there any downside to this process? |
Should be fine, but consider using 2 separate certificates (one for signing, one for encryption) 😃 |
I am using this approach because I am deploying the API to Azure Free Tier so uploading Cert is not possible. I generated and uploaded the 2 .pfx files to the server root. Running 'dotnet .dll' cmd at the server root still gave me this error:
Am I doing anything wrong or missing anything? |
@vohoanvu hard to say without seeing the stack trace of the inner exception, but have you tried to set |
@kevinchalet This statement in the docs threw me off and made me think I was not supposed to touch the |
I'm curious if your suggestion from your original answer here -
is still a viable soloution? I'm trying to implement this for my API hosted in azure (free tier), but seem to consistently get
When attempting to set the certificates from an embedded resource |
I have an ASP.NET Core MVC app running on Azure App Service and the site is using HTTPS and I'd like to use token authentication to protect some of the pages. I'm very new to token auth and openiddict, I read that a JWT token needs to be signed on the server and I see in your MVC sample, there is a
Certificate.pfx
provided. Should I check this file into the source control and share it with other developers? And could I deploy it as is with my code to Azure or do I need to create a new.pfx
file using some code on the fly or manually put it somewhere on the server file system or Azure key vault? I see there is the following code for development purpose, is there an equivalent code snippet for production?I'd really appreciate any help and pointers on this. Thank you.
The text was updated successfully, but these errors were encountered: