“error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure” when generating self signed certificate for Identity Server 4

skyrunner picture skyrunner · Nov 28, 2018 · Viewed 7.8k times · Source

We're developing a microservices app on Kubernetes. One of the microservices is IdentityServer instance. Initially, I want to test the solution locally on Docker to make sure it works. For this purpose, I want to copy the certificate to appsettings.json. Eventually this value will be replaced by a Kubernetes secret. In my startup class this is how I'm trying to load my certificate:

services.AddIdentityServer()
     .AddSigningCredential(GetIdentityServerCertificate())
     .AddConfigurationStore(...


    private X509Certificate2 GetIdentityServerCertificate()
    {
        var clientSecret = Configuration["Certificate"];
        var pfxBytes = Convert.FromBase64String(clientSecret);
        var certificate = new X509Certificate2(pfxBytes, "PasswordHere");
        return certificate;
    }

The certificate is generated by me using openssl:

openssl req –newkey rsa:2048 –nodes –keyout XXXXX.key –x509 –days 365 –out XXXXX.cer

openssl pkcs12 –export –in XXXX.cer –inkey XXXX.key –out XXXX.pfx

Then I get the certificate by using:

$pfxFilePath = 'C:\XXXX.pfx'
$pwd = 'PasswordHere'
$flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$collection.Import($pfxFilePath, $pwd, $flag)
$pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12
$clearBytes = $collection.Export($pkcs12ContentType)
$fileContentEncoded = [System.Convert]::ToBase64String($clearBytes)

I grab the $fileContentEncoded value and paste it into appsettings.json.

When i debug it, the result is: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure when i'm trying to create X509Certificate2 object using the method above.

Answer