IdentityServer3使用自签名证书时指定的提供程序类型无效

时间:2017-07-10 10:30:04

标签: identityserver3 digital-certificate x509certificate2

我正在尝试使用IdentityServer3库保护asp.net web api。

我创建了一个自签名证书,用于签署安全组,如下所示:

My Self-Sign Certificate

然后,当我调用我的授权服务器时,我得到以下异常

http://localhost:53180/connect/token 

"InnerException": {
    "Message": "An error has occurred.",
    "ExceptionMessage": "Invalid provider type specified.\r\n",
    "ExceptionType": "System.Security.Cryptography.CryptographicException",
    "StackTrace": "   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)\r\n   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)\r\n   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()\r\n   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)\r\n   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()\r\n   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()\r\n   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)\r\n   at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures) in c:\\workspace\\WilsonForDotNet45Release\\src\\System.IdentityModel.Tokens.Jwt\\AsymmetricSignatureProvider.cs:line 147"

证书私钥似乎有问题:

Private Key Problem 请帮忙!

1 个答案:

答案 0 :(得分:1)

请参阅:https://github.com/IdentityServer/IdentityServer3/issues/2859

您需要具有由旧版CSP管理的私钥的证书,而不是CNG。

如果您在Windows Server 2016或Windows 10上运行,则New-SelfSignedCertificate命令行开关已大幅扩展,现在包含您需要的所有选项。以下命令将生成适用于令牌签名的证书,其中私钥由传统CSP管理:

New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my `
 -FriendlyName "Token Signing" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3") `
 -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -KeySpec Signature `
 -DnsName ([System.Net.Dns]::GetHostByName($env:computerName).HostName)

关键部分是 -KeySpec签名,它强制使用旧版CSP作为私钥。

相关问题
最新问题