问题
We're developing a microservices app on Kubernetes. One of the microservices is IdentityServer instance. Initially, I want to test the solution locally on Docker to make sure it works. For this purpose, I want to copy the certificate to appsettings.json. Eventually this value will be replaced by a Kubernetes secret. In my startup class this is how I'm trying to load my certificate:
services.AddIdentityServer()
.AddSigningCredential(GetIdentityServerCertificate())
.AddConfigurationStore(...
private X509Certificate2 GetIdentityServerCertificate()
{
var clientSecret = Configuration["Certificate"];
var pfxBytes = Convert.FromBase64String(clientSecret);
var certificate = new X509Certificate2(pfxBytes, "PasswordHere");
return certificate;
}
The certificate is generated by me using openssl:
openssl req –newkey rsa:2048 –nodes –keyout XXXXX.key –x509 –days 365 –out XXXXX.cer
openssl pkcs12 –export –in XXXX.cer –inkey XXXX.key –out XXXX.pfx
Then I get the certificate by using:
$pfxFilePath = 'C:\XXXX.pfx'
$pwd = 'PasswordHere'
$flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$collection.Import($pfxFilePath, $pwd, $flag)
$pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12
$clearBytes = $collection.Export($pkcs12ContentType)
$fileContentEncoded = [System.Convert]::ToBase64String($clearBytes)
I grab the $fileContentEncoded value and paste it into appsettings.json.
When i debug it, the result is: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure when i'm trying to create X509Certificate2 object using the method above.
来源:https://stackoverflow.com/questions/53513317/error23076071pkcs12-routinespkcs12-parsemac-verify-failure-when-generating