问题
I'm creating a certificate request from my domain controller for use in IdentityServer3 (ID3). In the "Key Usage" section of the Certificate Properties dialog, I see a list of key usages:
- CRL signing
- Data encipherment
- Decipher Only
- Digital Signature
- Encipher Only
- Key agreement
- Key encipherment
- Key certificate signing
- Non repudiation
The question is straightforward: what key usages does ID3 require of its signing certificates? I can't find anything in the ID3 documentation besides "use a certificate".
I suppose it's also possible that all certificates are created "equal", and the first question is irrelevant? Just make a cert and be done with it?
回答1:
The relevant docs for Identity Server 3 are here. However, they don't go into a lot of detail in regard to the key usage type...
For your first question, I believe the correct usage is Digital Signature. In regard to your second question, I am not sure if the type matters or not, but I am somewhat of a novice in this area...
I am basing my answers here off the PowerShell commands I use to generate self-signed certs:
New-SelfSignedCertificate -Type Custom -Subject "CN=My Signing Cert" -Provider "Microsoft Strong Cryptographic Provider" -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -HashAlgorithm "SHA256" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3") -NotAfter (Get-Date).AddYears(1)
You can also take a look at this blog posting by one of the authors of Identity Server:
makecert and creating ssl or signing certificates
While his example shows self-signed cert generation using a different tool (makecert), both my command and his share the same Enhanced Key Usage Object Identifier of 1.3.6.1.5.5.7.3.3 which maps to code signing.
So, maybe the key part is the OID, and not the key usage? Or, maybe getting the correct one does matter. Either way, it seems like the logical choice to use.
If you end up finding out definitively (through testing or otherwise), you could please add a comment with your results?
来源:https://stackoverflow.com/questions/45549894/certificate-requirements-for-identityserver3