IdentityServer4: How to load Signing Credential from Cert Store when in Docker
We have an IdentityServer4-based STS successfully running on Windows, where the Signing Credential has been installed to the Local Computer with .pfx under Personal > Certifi
-
I am developing on windows machine and I use following code to get certificate from store
X509Certificate2 cert = null; X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); certStore.Open(OpenFlags.ReadOnly); X509Certificate2Collection certCollection = certStore.Certificates.Find( X509FindType.FindByThumbprint, "thumbprint", false); if (certCollection.Count > 0) { cert = certCollection[0]; Log.Logger.Information($"Successfully loaded cert from registry: {cert.Thumbprint}"); } if (cert == null) // Fallback { cert = new X509Certificate2(Path.Combine(_env.ContentRootPath, "certificate.pfx"), "password"); //Log.Logger.Information($"Falling back to cert from file. Successfully loaded: {cert.Thumbprint}"); } else { certStore.Dispose(); }讨论(0) -
When you use Docker containers and IdentityServer basically you have two options:
- Add the certificate to the container image (
COPY certificate.pfx .) - Mount certificate to the container (
-v /path/to/certificate.pfx:/certificate.pfx)
Whatever option you choose, the only thing you need is to add the following configuration code to
ConfigureServicesinStartupvar identityServerBuilder = services.AddIdentityServer(); /* store configuration and etc. is omitted */ if (_hostingEnvironment.IsDevelopment()) { identityServerBuilder.AddDeveloperSigningCredential(); } else { var certificate = new X509Certificate2("certificate.pfx", "certificate_password"); identityServerBuilder.AddSigningCredential(certificate); }Also it would be a good idea to read certificate password from configuration, environment variable or secrets storage.
讨论(0) - Add the certificate to the container image (
加载中...
- 热议问题