Guidance on Thinktecture IdentityServer v3 - certificates

Brendan Green picture Brendan Green · Oct 30, 2014 · Viewed 7.8k times · Source

I am working up a demo of Thinktecture IdentityServer v3. The intention is to have the identity server run as it's own website under Azure Websites.

There will be other (more than one) Azure Websites that will use the identity server to authenticate users.

Based on the getting started walkthrough (see https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki/Getting-started) I have this mostly working.

Where I am having trouble is with the certificates.

For the demo, I'd like to create my own certificate - but I am unsure of what I need to do. Any guidance would be helpful.

Other questions I have on this:

  1. Are self-signed certificates able to be used?
  2. In a production scenario, would self-signed certificates be acceptable, or would they really need to be signed by a trusted root authority?
  3. How would these certificates be installed into an Azure Website (or can I load from disk)

Answer

leastprivilege picture leastprivilege · Nov 2, 2014

Well - strictly speaking you need two certificate - one for SSL and one for signing - technically they could be the same - but don't have to. They also have different requirements.

For SSL - you need have a cert that is in the trusted list of your clients. Typically this is either a cert from a commercial CA - or from an internal PKI.

For the signing cert - you can generate your own - e.g. using makecert.

IdSrv is pretty flexible in loading certs - you can retrieve them from arbitrary sources - typically from the windows certificate store (when you have admin level access to the server) - or the file system, or from an embedded resource.

Our sample host uses the embedded resource approach which does work fine for Azure WebSites. For production scenarios you typically want more flexibility (e.g. for roll over) - so I would look into loading it from e.g. blob storage.