IdentityServer3 使用自签名证书时指定的提供商类型无效
IdentityServer3 Invalid provider type specified when using Self-Signed Certificate
我正在尝试使用 IdentityServer3 库保护 asp.net 网络 api。
我创建了一个自签名证书来签署安全令牌,如下所示:
然后当我调用我的授权服务器时出现以下异常
http://localhost:53180/connect/token
"InnerException": {
"Message": "An error has occurred.",
"ExceptionMessage": "Invalid provider type specified.\r\n",
"ExceptionType": "System.Security.Cryptography.CryptographicException",
"StackTrace": " at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)\r\n at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)\r\n at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()\r\n at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)\r\n at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()\r\n at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()\r\n at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)\r\n at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures) in c:\workspace\WilsonForDotNet45Release\src\System.IdentityModel.Tokens.Jwt\AsymmetricSignatureProvider.cs:line 147"
证书私钥似乎有问题:
请帮忙!
参见:https://github.com/IdentityServer/IdentityServer3/issues/2859
您需要一个带有私钥的证书,该私钥由旧版 CSP 而非 CNG 管理。
如果您 运行 使用 Windows Server 2016 或 Windows 10,New-SelfSignedCertificate commandlet 已得到大幅扩展,现在包含您需要的所有选项。以下命令将生成适合令牌签名的证书,私钥由旧 CSP 管理:
New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my `
-FriendlyName "Token Signing" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3") `
-KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -KeySpec Signature `
-DnsName ([System.Net.Dns]::GetHostByName($env:computerName).HostName)
关键部分是 -KeySpec 签名,它强制使用旧 CSP 作为私钥。
我正在尝试使用 IdentityServer3 库保护 asp.net 网络 api。
我创建了一个自签名证书来签署安全令牌,如下所示:
然后当我调用我的授权服务器时出现以下异常
http://localhost:53180/connect/token
"InnerException": {
"Message": "An error has occurred.",
"ExceptionMessage": "Invalid provider type specified.\r\n",
"ExceptionType": "System.Security.Cryptography.CryptographicException",
"StackTrace": " at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)\r\n at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)\r\n at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()\r\n at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)\r\n at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()\r\n at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()\r\n at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)\r\n at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures) in c:\workspace\WilsonForDotNet45Release\src\System.IdentityModel.Tokens.Jwt\AsymmetricSignatureProvider.cs:line 147"
证书私钥似乎有问题:
参见:https://github.com/IdentityServer/IdentityServer3/issues/2859
您需要一个带有私钥的证书,该私钥由旧版 CSP 而非 CNG 管理。
如果您 运行 使用 Windows Server 2016 或 Windows 10,New-SelfSignedCertificate commandlet 已得到大幅扩展,现在包含您需要的所有选项。以下命令将生成适合令牌签名的证书,私钥由旧 CSP 管理:
New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my `
-FriendlyName "Token Signing" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3") `
-KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -KeySpec Signature `
-DnsName ([System.Net.Dns]::GetHostByName($env:computerName).HostName)
关键部分是 -KeySpec 签名,它强制使用旧 CSP 作为私钥。