Issue in Self Signed Client Certificate while processing an Identity Server Client Credentials Flow

Question

I created a Self Signed Certificate for my internal development purpose using MakeCert.exe

Step #1: I Created a Root CA using the following Command<

Answer 1

I found the solution for this issue (Self Signed Certificate) after a long struggle. There is a way to use the Self Signed Certificate in an Identity Server for authenticating user based on Client Certificate.

In the Identity Server, we are using a Certificate for generating Tokens (by default we are using idsrv3test.pfx) and in Client Application we are using the Certificate Client.pfx (by default). I researched the logic behind in this, I found the solution these two certificates has a common Issuer "DevRoot". The Identity Server return the Token based on Client Certificate only if the DevRoot is in Trusted Root Certification Authorities otherwise the IIS should not allow the request and return back with status code 403 Forbidden.

Scenario #1:

Scenario #2:

I followed the same logic, I created a Root CA Certificate. Moreover I created Server and Client Certificate and I mapped those certificate with the Root CA Certificate (i.e., Parent). The Certificates should have the following purpose

• Root CA Certificate => All Purpose or the combination of Server Authentication and Client Authentication
• Server Certificate => Only Server Authentication Purpose
• Client Certificate => Only Client

Note: For more information about Intended Purpose, refer http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html

The Server and Client Certificate should be in .pfx file format. Let us see how to create the said Certificates

Ensure the Prerequisite Tools is exist in your System before executing the following Command

• Install the latest .Net Framework https://www.microsoft.com/net/download
• Install the Latest Microsoft Windows SDK for Windows 7 and .NET Framework 4 https://www.microsoft.com/en-us/download/details.aspx?id=8279

Step: #1

We need to Create a Certificates of CA, Service and Client along with Private Key

Certificate Authority

makecert -r -pe -n "CN=Token Root CA" 
-sr LocalMachine -a sha1 -sky signature -cy authority -sv 
"D:\Certificate\IDRootCA.pvk" "D:\Certificate\IDRootCA.cer"

Server Certificate

makecert -pe -n "CN=Server - Token Identity" -a sha1 -sky exchange 
-eku 1.3.6.1.5.5.7.3.1 -ic "D:\Certificate\IDRootCA.cer" -iv 
"D:\Certificate\IDRootCA.pvk" -sv "D:\Certificate\IDServer.pvk" "D:\Certificate\IDServer.cer"

Client Certificate

makecert -pe -n "CN=Client - Token Identity" -a sha1 -sky exchange 
-eku 1.3.6.1.5.5.7.3.2 -ic "D:\Certificate\IDRootCA.cer" -iv 
"D:\Certificate\IDRootCA.pvk" -sv "D:\Certificate\IDClient.pvk" "D:\Certificate\IDClient.cer"

Step: #2

We need to Export the PFX's file of Service and Client certificate

Service Certificate (PFX Format)

pvk2pfx -pvk "D:\Certificate\IDServer.pvk" -spc "D:\Certificate\IDServer.cer" 
-pfx "D:\Certificate\IDServer.pfx"

Client Certificate (PFX Format)

pvk2pfx -pvk "D:\Certificate\IDClient.pvk" -spc "D:\Certificate\IDClient.cer" 
-pfx "D:\Certificate\IDClient.pfx"

Step: #3

We need to Import CA into Trusted Root Certification Authorities certificate store

Import Certificate Authority "CN=Token Root CA"

certutil -user -addstore Root "D:\Certificate\IDRootCA.cer"

Note: Here I import the Certificate only for the current user "-user". For more details refer http://certificate.fyicenter.com/685_Microsoft_CertUtil_Microsoft_certutil_-user_Certificate_St.html

Execute all the above said commands using Command Prompt in Administrator Mode and navigate the path to "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin". The said path should contain the MakeCert.exe file (Ensure it once)

The above said Commands will create all the required Certificates of Identity Server

Identity Server Project: Kindly use the Server Certificate "IDServer.pfx" instead of "idsrv3test.pfx" and Change the same in Certificates.cs and Web.config.

Note: The Private key is not required for this Self signed Certificate.

Finally the Client Console Application Code is

var cert = new X509Certificate2(@"IDClient.pfx");
var handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);

string tokenEndPoint = ConfigurationManager.AppSettings["TokenEndpoint"];

var client = new TokenClient(
    tokenEndPoint,
    "cc.WithCertificate",
    handler);

// Calling the Token Service
var response = client.RequestClientCredentialsAsync("read").Result;

Finally I got the Access Token Successfully