0

I am hosting my ASP.NET Core web app on CentOS. I need to setup the production signing key for Identity Server. This key is used for JWT token signing and validation.

File: tempkey.rsa

{
  "KeyId": "vbWO1QORQrwci26Cd7q59A",
  "Parameters": {
    "D": "IqOOHtuw10jHnCnrZbzh3TwA40q7KWuby22wl/ooRXn//XJktc8Hwe0JvxD8tvHtk4wfhzkUwiH+zY/cub+kI3oklD9diiWOjFIJcu+k9U9ocXg0ipvrk87rMM3x/u4im9HTYbkNU9Ru6pBdvb8ChAVWR5qOoSVDiFL1Yr8K+sSLix6nm6p0ax2CSf1sJEtNHDRrgI6mSOei97CpiuXpFX/JkwimqvbskcdQY91cgQ9poTWyuolFtFnOx0wSNEG4x1UWVsw85st5JHcU7pN0v1hhQZRcNYBfuZ7uHTFlhbkBip1D191pytSid8C4XTNiLbVPaY1pAqJhDLy6e7bi5Q==",
    "DP": "BVqSzlGs02ZFN9/xPug8VDZCxsReFmtd2xwhO8J7/JzGxxbbe9oq78q2blxDH6nY/I2M2DsKbm2BK2xE9ZHTkSuFHYw39OFHH3UZJNw8d3LMq8d2yZlzBTN21uKzVOwYd0zIchfvTIM3laOxW9j7sObOj8Nd/Pawkm2reFsmIzU=",
    "DQ": "BvpYLvxVPw7qrCtr6unhawV8ox4obq8WZEK/nu6hqBYxydW+zUJWv0fSYgygP9PYykGuTI+nYxCvm9rqw27uLoGsiEFT23Smzz5kDm0h+OzjJc5Wc+YL9wAI+O/xJ/Bi7uyKu+0eTMvG2Y5WpfYhJv2JZIWQUODHZ9SLDe8X3e8=",
    "Exponent": "AQAB",
    "InverseQ": "MKg8Pba2dyIsL3pumcR9e24fOZ8NIizJkTsDZoLkU2ccB6fFKfUioglHHL8ZEPKWT3ByJphJZv9JZIxgtCSLhFC1XcNLsWejPvEb6IMX9L1FIM7Ibo05L3tdZGTFsXwU9/3j2gk/ZFPKrnJXV9+6TToEAmxH7HIIPJONsfDBGho=",
    "Modulus": "nVpQtZgMHnpz9ZfnJs/sTkA8vqPldPe8IL9JQttcrE3RZKLKd+mrcleLqzrRtBCePHfLZMgoX19ShZeq2t4Ea6Sm+5SkV0l0862OD+ILnzFFqaqvQlra7UnRL2FXwxpp09LqLxoDq8fDXfHGOdMumP2TB6mozFgGWGBY9zlc9ctrDoSvfjsagcsLlp2LhCPAg4yCzyV/+4ADnls7NNnAc2Ba1MGFT5OJpfDggL+FXTMlHwTW8LJ9GsT4FAi5Z7dygLOnWc7zpl+Y9sSUtSNOAQlU+oX9VJQD6ZFbosM8nSHcjvCivpxAzOKn+5I6EQXis+pwne9VVjT27iv/NubG5Q==",
    "P": "z53dmREjm+MCchaWsvhPcWVWf7gGezix6KuGzMHa5vhVafrvv2rCy9aHSDWLpxPKb999/2Bw7ExI2b4DTuNkIJTLv/mQEl1PyhtbfLmclPHHbzTM9gnJ3nHrJhpj60/jbinFDkvzV++nqnTKToSgP2TNy5POXWn3FKNHgIxYNwM=",
    "Q": "wgXGJTOdv4B1owmtDmxucssRjWQzW0qEOCr/bBjT32ZofRI1HLBjOwnY4qzxmpD00voWLuphZSBUxtF47IZrrr33vNy2jedD3xy00fgBhuG0exxgQagCSTR0+QoccY8jOWYq2B+FsV9umpOEpgtqq67Moe/MkMp8Gg+8fqiLkfc="
  }
}

Now, I need to generate a production key for ASP.NET Core app. I am using Kestrel with Nginx. How do I generate a key.rsa file and use it for production?

I have checked other questions as well. They are using their windows certificate store for reading the certificate. I need a solution to work on centos using key.rsa.

Code So Far::

    // Code skipped for brevity....

    #region Add ASP.NET Core Identity Server
        // Using ASP.NET Core Identity Server
        services.AddIdentityServer()
            .AddConfigurationStore<MySQLConfigurationDbContext>()
            .AddOperationalStore<MySQLPersistedGrantDbContext>()
            .AddAspNetIdentity<Identity.BOL.IdentityUser>()                
            .AddDeveloperSigningCredential();
        #endregion

        // Use Authentication
        services.AddAuthentication();                
    }
Ariel
  • 2,471
  • 1
  • 26
  • 43

1 Answers1

4

I'm not clear if you're asking how to generate the key, or how to use it when you've generated one. I'm guessing the second question, because you've already got an example of a key you've produced.

You need to get rid of the .UseDeveloperSigningCredential() on the .AddIdentityServer and use some of the other builder extension convenience methods:

https://identityserver4.readthedocs.io/en/latest/topics/startup.html#refstartupkeymaterial

or if you need something more customised then use the following interfaces: https://identityserver4.readthedocs.io/en/latest/topics/crypto.html

In essence though, those builder extensions are probably all you need. Keep the same version of code and just use different key material on dev and live.

This is an example of using the x509 overload of the extension methods, but you use whichever ones make sense for your key material:

    var x509 = new X509Certificate2(
         File.ReadAllBytes(somefilename),somepassword);

    services.AddIdentityServer(options =>
        {
            the options I care about
        })
        .AddSigningCredential(x509)
        .AddValidationKey(x509);
Mashton
  • 6,037
  • 2
  • 25
  • 35
  • I want both. I want to generate and use as well. I've found a solution...just want. To see others solution for now. Please show how you do it. – Ariel Mar 20 '20 at 15:02
  • Wel, for key generation we just use openssl command line. Something like https://stackoverflow.com/questions/5244129/use-rsa-private-key-to-generate-public-key – Mashton Mar 20 '20 at 15:09
  • And the code snippet in my answer is just creating an x509 cert from a PFX file. And the PFX file was created using openssl. This may seem a bit of the long way around, considering the PFX would have been created from PEM material in the first place, but there are reasons :) This service is hosted on Centos for us too, so doesn't go anywhere near a Windows certificate store. – Mashton Mar 20 '20 at 15:11
  • Just what I was looking for...I am using the exact same approach. Are you using a single key for signing and validation or two different ones?? I'm using one with 100 years life – Ariel Mar 20 '20 at 15:14
  • @Ariel Were you able to develop a process to automatically generate new certificate & automatic key rollover? Would you care to share the process? – Jay Nov 05 '21 at 14:26
  • I was not able to automatically generate new certificate...however, I used custom ssl certificate generated using OpenSSL for the task...and to my surprise they worked properly with Identity server...check the above code and you will understand.... – Ariel Nov 09 '21 at 12:35