/// <summary> /// Add custom validation key for signing key rollover /// http://docs.identityserver.io/en/latest/topics/crypto.html#signing-key-rollover /// </summary> /// <param name="builder"></param> /// <param name="configuration"></param> /// <returns></returns> public static IIdentityServerBuilder AddCustomValidationKey(this IIdentityServerBuilder builder, IConfiguration configuration) { var certificateConfiguration = configuration.GetSection(nameof(CertificateConfiguration)).Get <CertificateConfiguration>(); var azureKeyVaultConfiguration = configuration.GetSection(nameof(AzureKeyVaultConfiguration)).Get <AzureKeyVaultConfiguration>(); if (certificateConfiguration.UseValidationCertificateThumbprint) { if (string.IsNullOrWhiteSpace(certificateConfiguration.ValidationCertificateThumbprint)) { throw new Exception(ValidationCertificateThumbprintNotFound); } var certStore = new X509Store(StoreName.My, StoreLocation.LocalMachine); certStore.Open(OpenFlags.ReadOnly); var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, certificateConfiguration.ValidationCertificateThumbprint, false); if (certCollection.Count == 0) { throw new Exception(CertificateNotFound); } var certificate = certCollection[0]; builder.AddValidationKey(certificate); } else if (certificateConfiguration.UseValidationCertificateForAzureKeyVault) { var x509Certificate2Certs = AzureKeyVaultHelpers.GetCertificates(azureKeyVaultConfiguration).GetAwaiter().GetResult(); if (x509Certificate2Certs.SecondaryCertificate != null) { builder.AddValidationKey(x509Certificate2Certs.SecondaryCertificate); } } else if (certificateConfiguration.UseValidationCertificatePfxFile) { if (string.IsNullOrWhiteSpace(certificateConfiguration.ValidationCertificatePfxFilePath)) { throw new Exception(ValidationCertificatePathIsNotSpecified); } if (File.Exists(certificateConfiguration.ValidationCertificatePfxFilePath)) { try { builder.AddValidationKey(new X509Certificate2(certificateConfiguration.ValidationCertificatePfxFilePath, certificateConfiguration.ValidationCertificatePfxFilePassword)); } catch (Exception e) { throw new Exception("There was an error adding the key file - during the creation of the validation key", e); } } else { throw new Exception($"Validation key file: {certificateConfiguration.ValidationCertificatePfxFilePath} not found"); } } return(builder); }
/// <summary> /// Add custom signing certificate from certification store according thumbprint or from file /// </summary> /// <param name="builder"></param> /// <param name="configuration"></param> /// <returns></returns> public static IIdentityServerBuilder AddCustomSigningCredential(this IIdentityServerBuilder builder, IConfiguration configuration) { var certificateConfiguration = configuration.GetSection(nameof(CertificateConfiguration)).Get <CertificateConfiguration>(); var azureKeyVaultConfiguration = configuration.GetSection(nameof(AzureKeyVaultConfiguration)).Get <AzureKeyVaultConfiguration>(); if (certificateConfiguration.UseSigningCertificateThumbprint) { if (string.IsNullOrWhiteSpace(certificateConfiguration.SigningCertificateThumbprint)) { throw new Exception(SigningCertificateThumbprintNotFound); } StoreLocation storeLocation = StoreLocation.LocalMachine; bool validOnly = certificateConfiguration.CertificateValidOnly; // Parse the Certificate StoreLocation string certStoreLocationLower = certificateConfiguration.CertificateStoreLocation.ToLower(); if (certStoreLocationLower == StoreLocation.CurrentUser.ToString().ToLower() || certificateConfiguration.CertificateStoreLocation == ((int)StoreLocation.CurrentUser).ToString()) { storeLocation = StoreLocation.CurrentUser; } else if (certStoreLocationLower == StoreLocation.LocalMachine.ToString().ToLower() || certStoreLocationLower == ((int)StoreLocation.LocalMachine).ToString()) { storeLocation = StoreLocation.LocalMachine; } else { storeLocation = StoreLocation.LocalMachine; validOnly = true; } // Open Certificate var certStore = new X509Store(StoreName.My, storeLocation); certStore.Open(OpenFlags.ReadOnly); var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, certificateConfiguration.SigningCertificateThumbprint, validOnly); if (certCollection.Count == 0) { throw new Exception(CertificateNotFound); } var certificate = certCollection[0]; builder.AddSigningCredential(certificate); } else if (certificateConfiguration.UseSigningCertificateForAzureKeyVault) { var x509Certificate2Certs = AzureKeyVaultHelpers.GetCertificates(azureKeyVaultConfiguration).GetAwaiter().GetResult(); builder.AddSigningCredential(x509Certificate2Certs.ActiveCertificate); } else if (certificateConfiguration.UseSigningCertificatePfxFile) { if (string.IsNullOrWhiteSpace(certificateConfiguration.SigningCertificatePfxFilePath)) { throw new Exception(SigningCertificatePathIsNotSpecified); } if (File.Exists(certificateConfiguration.SigningCertificatePfxFilePath)) { try { builder.AddSigningCredential(new X509Certificate2(certificateConfiguration.SigningCertificatePfxFilePath, certificateConfiguration.SigningCertificatePfxFilePassword)); } catch (Exception e) { throw new Exception("There was an error adding the key file - during the creation of the signing key", e); } } else { throw new Exception($"Signing key file: {certificateConfiguration.SigningCertificatePfxFilePath} not found"); } } else if (certificateConfiguration.UseTemporarySigningKeyForDevelopment) { builder.AddDeveloperSigningCredential(); } else { throw new Exception("Signing credential is not specified"); } return(builder); }