IdentityServer3 使用自签名证书时指定的提供商类型无效

IdentityServer3 Invalid provider type specified when using Self-Signed Certificate

我正在尝试使用 IdentityServer3 库保护 asp.net 网络 api。

我创建了一个自签名证书来签署安全令牌,如下所示:

然后当我调用我的授权服务器时出现以下异常

http://localhost:53180/connect/token

"InnerException": {
    "Message": "An error has occurred.",
    "ExceptionMessage": "Invalid provider type specified.\r\n",
    "ExceptionType": "System.Security.Cryptography.CryptographicException",
    "StackTrace": "   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)\r\n   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)\r\n   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()\r\n   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)\r\n   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()\r\n   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()\r\n   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)\r\n   at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures) in c:\workspace\WilsonForDotNet45Release\src\System.IdentityModel.Tokens.Jwt\AsymmetricSignatureProvider.cs:line 147"

证书私钥似乎有问题:

请帮忙!

参见:https://github.com/IdentityServer/IdentityServer3/issues/2859

您需要一个带有私钥的证书,该私钥由旧版 CSP 而非 CNG 管理。

如果您 运行 使用 Windows Server 2016 或 Windows 10,New-SelfSignedCertificate commandlet 已得到大幅扩展,现在包含您需要的所有选项。以下命令将生成适合令牌签名的证书,私钥由旧 CSP 管理:

New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my `
 -FriendlyName "Token Signing" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3") `
 -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -KeySpec Signature `
 -DnsName ([System.Net.Dns]::GetHostByName($env:computerName).HostName)

关键部分是 -KeySpec 签名,它强制使用旧 CSP 作为私钥。