21

I created the template Angular / ASP.NET Core with authorisation support using this command:

dotnet new angular --auth Individual

This is an:

  • ASP.NET Core 3.0 App with
  • ASP.NET Core Identity for authenticating and storing users,
  • IdentityServer4 for implementing Open ID Connect,
  • Angular SPA,

All pre-configured to work together.

Before I deploy my app based on this template, I'm trying to first deploy this template app to IIS.

I've deployed the app to IIS and have a database setup and the app connected to it just fine, but I'm stuck. I am not sure how to create and configure the production certificate to use for signing tokens.

At this point in the Microsoft docs it briefly mentions "A production certificate to use for signing tokens." and gives and example for deployment to Azure.

How do I create the key in IIS? do you do something here? IIS Server Certificate

Then how do I then add the correct settings to appsettings.json?

"IdentityServer": {
  "Key": {
    "Type": "Store",
    "StoreName": "My",
    "StoreLocation": "CurrentUser",
    "Name": "CN=MyApplication"
  }
}

I'm struggling to find any guides or examples on the net, any help or point in the right direction would be appreciated.

marno11
  • 561
  • 1
  • 5
  • 13
  • 1
    to resolve "Exception Info: System.InvalidOperationException: Couldn't find a valid certificate with subject 'test' on the 'LocalMachine\Personal' " error click start button open and type "Certmgr.msc" or "Manage computer certificates" and check under which section your certificate is stored. – Jalpa Panchal Jul 30 '19 at 07:21
  • So this appears to show me `Certificates - Current User` underwhich I can find the server certificate I made called `test` under `Trusted Root Certification Authorities` ... .. however setting `Type: Store, StoreName: Trusted Root Certification Authorities, StoreLocation CurrentUser, Name: test` also doesn't work... same error. :/ – marno11 Jul 31 '19 at 11:04

4 Answers4

16

I also found that the documentation is not comperhensive enough. I managed to deploy the an angular app to azure. Im not sure if it similar to the deployment to IIS. But may be this could help you to find the solution for your problem.

Deployment to Azure:

First you have to upload the (self signed) certificate (.pfx) to azure app service. I used this guide to create self signed certificate.

upload certificate image

You also have to make the certificate available by adding the thumbprint into the application setting. see image.

Adding Certificate thumbprint to app service

Dont forget to update your appsettings.json so your app can access the certificate from the previous step. 

"IdentityServer": {
  "Key": {
    "Type": "Store",
    "StoreName": "My",
    "StoreLocation": "CurrentUser",
    "Name": "CN=yourApp-domain.com"
  }
}

If you encounter problem. Change the environtment variable in appservice to "Development" to see detail information of the error. like this.

change environment variable

Basil
  • 1,613
  • 12
  • 25
Syarif Mathis
  • 161
  • 1
  • 6
  • In my case since the API I was hosting Identity was under a subdomain, I had to set CN=*.domain.com. – carraua Mar 30 '20 at 06:56
12

For now I have worked around this problem by exporting the certificate to a file. Under Server Certificates in IIS you can right-click a certificate and export it.

Then you can configure the key parameters in appsettings.json to reference a file like so:

"Key": {
  "Type": "File",
  "FilePath": "..\\test.pfx",
  "Password": "Test"
}

I would still like to reference a store certificate.

marno11
  • 561
  • 1
  • 5
  • 13
  • 3
    Where did you find the documentation for this section of config? – Dan Apr 24 '20 at 21:18
  • Hey Dan, I actually can't remember where I found to do this... Probably not from the official documentation, I don't remember it covering this at any point. But check out this reddit post I found which outlines the key parameter settings a little more: https://www.reddit.com/r/aspnetcore/comments/bmq2n3/asp_net_core_3_angular_template_problem/ – marno11 Apr 27 '20 at 00:37
  • Just want to say this is gold! I've been looking for this. This should be on the official docs somewhere. Or maybe anyone has any idea of a tool or method of introspecting the settings for libraries or assemblies similar to this. – Bangonkali Mar 09 '23 at 13:20
5

So this should fairly straightforward to configure for development purposes. In IIS you can issue yourself a self-signed certificate which will naturally only be valid on your local machine.

Give it some name and if you don't change anything else and click OK, it will by default store the generated certificate in your Personal store for LocalMachine so below config should work:

"IdentityServer": {
  "Key": {
    "Type": "Store",
    "StoreName": "Personal",
    "StoreLocation": "LocalMachine",
    "Name": "YourName"
  }
}

enter image description here

It is worthwhile noting that if you try to import certificate from somewhere else - it must be at least 2048 bit key for Identity Server 4 purposes.

Vidmantas Blazevicius
  • 4,652
  • 2
  • 11
  • 30
  • Thankyou for the info, I'll give this a go... but I'm asking what's required for a production release? – marno11 Jul 29 '19 at 22:27
  • I did give this a go and received the following error... `Exception Info: System.InvalidOperationException: Couldn't find a valid certificate with subject 'test' on the 'LocalMachine\Personal'` – marno11 Jul 29 '19 at 22:45
  • ah ok I was wrong then, the search is not by public friendly name, but rather by subject, just double click the cert in IIS, go to details tab and find subject and use that. Let me know if that works. – Vidmantas Blazevicius Jul 30 '19 at 07:50
  • I can see the certificate has a a subject parameter, unfortunately still no luck. With and without including "CN=" in the certificate name (subject?) – marno11 Jul 31 '19 at 10:56
  • I used this "CN=MyPcName.local" as the value and it worked for me. Open certificate manager through windows UI and double check if that cert is actually under Personal – Vidmantas Blazevicius Jul 31 '19 at 11:03
  • It's there under `Certificates -> Local Computer -> Personal -> Certificates` it's also under `Trusted Root Certification Authorities`. Why do you put ".local" on the end? – marno11 Jul 31 '19 at 11:23
  • damn, still `Exception Info: System.InvalidOperationException: Couldn't find a valid certificate with subject 'CN=.local' on the 'LocalMachine\Personal'`, I've also tried 'CN=' , '.local' and ''... this maybe grasping at straws, but my PC name has a dash in it, could that be causing an issue. – marno11 Jul 31 '19 at 11:35
  • Hopefully I didnt confuse you, thats actually the name of my PC because its work PC. Looks like the IIS issues the subject name same as your current local machine name. Do you have full stack trace of that exception by any chance? It's open source so we can check the src of whats up. – Vidmantas Blazevicius Jul 31 '19 at 11:59
  • 3
    I was able to use the above suggestion, but I needed to set the StoreName to "My" instead of "Personal" even though the cert I'm using is stored in Personal. As mentioned in the above comment you also need to use 'CN=' (.local isn't needed). You can also open the certificate and look at the subject and it should say CN=. – Bryan Euton Apr 17 '20 at 15:33
0

Create a new certificate in Powershell as Administrator if you don't have a certificate already:

New-SelfSignedCertificate -DnsName "blazortest" -CertStoreLocation "cert:\CurrentUser\My"

I then used mmc.exe to export the certificate as a .pfx file.

If you host on IIS you need to import the .pfx certificate to the Personal folder for Local Computer and then select Manage Private Keys... and give access to the user running the Application Pool.

enter image description here

Complete answer from other thread with IdentityServerBuilderConfigurationExtensions publish exception:

https://stackoverflow.com/a/66448397/3850405

Ogglas
  • 62,132
  • 37
  • 328
  • 418