Reputation: 4875
Issue in Self Signed Client Certificate while processing an Identity Server Client Credentials Flow
I created a Self Signed Certificate for my internal development purpose using MakeCert.exe
Step #1: I Created a Root CA using the following Command
makecert -n "CN=Bala root signing authority" -cy authority -r -sv root.pvk root.cer
Step #2: Installed the Root CA Certificate which is created in Step #1 using the following Command
certutil -user -addstore Root root.cer
Step #3: I Created a Client Certificate using the following Command
makecert -pe -n "CN=Bala Client" -a sha1 -cy end ^ -sky signature ^ -ic root.cer -iv root1.pvk ^ -sv Bala.pvk Bala.cer
Step #4:
I Created a .pfx file for the respective Client Certificate using the following command
pvk2pfx -pvk Bala.pvk -spc Bala.cer -pfx Bala.pfx
The Root CA namely "CN=Bala root signing authority" has all intended purpose and its installed in Trusted Root Certification Authorities
Snapshot of Root CA Certificate: "CN=Bala root signing authority"
Snapshot of Client Certificate: "CN=Bala Client"
The Client Certificate has a ThumbPrint: "83021C2C20096FFD8415A353E471FF1BD39ECA4E"
Kindly look at the snapshot:
I'm having a Client in my IdentityServer3 and I used the Same thumbprint "83021C2C20096FFD8415A353E471FF1BD39ECA4E"
new Client
{
ClientName = "Client Credentials Flow Client With Certificate",
Enabled = true,
ClientId = "cc.WithCertificate",
Flow = Flows.ClientCredentials,
ClientSecrets = new List<Secret>
{
new Secret
{
Value = "83021C2C20096FFD8415A353E471FF1BD39ECA4E",
Type = Constants.SecretTypes.X509CertificateThumbprint,
Description = "Client Certificate"
},
},
AllowedScopes = new List<string>
{
"read"
}
}
The Client Console Application Code is
var cert = new X509Certificate2(@"Bala.pfx");
var handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);
string tokenEndPoint = ConfigurationManager.AppSettings["TokenEndpoint"];
var client = new TokenClient(
tokenEndPoint,
"cc.WithCertificate",
handler);
// Calling the Token Service
var response = client.RequestClientCredentialsAsync("read").Result;
Response Object's Snapshot:
Once I execute the code I'm getting the response with an Error Status Code: response.Error ="Forbidden"
I followed all the per-requesite setup which is said in my previous question response.Error "Forbidden" in IdentityServer3 Flows.ClientCredentials
Kindly assist me how to Authenticate the application using Self Signed Certificate.
Upvotes: 3
Views: 2168
Answers (1)
Reputation: 4875
I found the solution for this issue (Self Signed Certificate) after a long struggle. There is a way to use the Self Signed Certificate in an Identity Server for authenticating user based on Client Certificate.
In the Identity Server, we are using a Certificate for generating Tokens (by default we are using idsrv3test.pfx) and in Client Application we are using the Certificate Client.pfx (by default). I researched the logic behind in this, I found the solution these two certificates has a common Issuer "DevRoot". The Identity Server return the Token based on Client Certificate only if the DevRoot is in Trusted Root Certification Authorities otherwise the IIS should not allow the request and return back with status code 403 Forbidden.
Scenario #1:
Scenario #2:
I followed the same logic, I created a Root CA Certificate. Moreover I created Server and Client Certificate and I mapped those certificate with the Root CA Certificate (i.e., Parent). The Certificates should have the following purpose
- Root CA Certificate => All Purpose or the combination of Server Authentication and Client Authentication
- Server Certificate => Only Server Authentication Purpose
- Client Certificate => Only Client
Note: For more information about Intended Purpose, refer http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html
The Server and Client Certificate should be in .pfx file format. Let us see how to create the said Certificates
Ensure the Prerequisite Tools is exist in your System before executing the following Command
- Install the latest .Net Framework https://www.microsoft.com/net/download
- Install the Latest Microsoft Windows SDK for Windows 7 and .NET Framework 4 https://www.microsoft.com/en-us/download/details.aspx?id=8279
Step: #1
We need to Create a Certificates of CA, Service and Client along with Private Key
Certificate Authority
makecert -r -pe -n "CN=Token Root CA"
-sr LocalMachine -a sha1 -sky signature -cy authority -sv
"D:\Certificate\IDRootCA.pvk" "D:\Certificate\IDRootCA.cer"
Server Certificate
makecert -pe -n "CN=Server - Token Identity" -a sha1 -sky exchange
-eku 1.3.6.1.5.5.7.3.1 -ic "D:\Certificate\IDRootCA.cer" -iv
"D:\Certificate\IDRootCA.pvk" -sv "D:\Certificate\IDServer.pvk" "D:\Certificate\IDServer.cer"
Client Certificate
makecert -pe -n "CN=Client - Token Identity" -a sha1 -sky exchange
-eku 1.3.6.1.5.5.7.3.2 -ic "D:\Certificate\IDRootCA.cer" -iv
"D:\Certificate\IDRootCA.pvk" -sv "D:\Certificate\IDClient.pvk" "D:\Certificate\IDClient.cer"
Step: #2
We need to Export the PFX's file of Service and Client certificate
Service Certificate (PFX Format)
pvk2pfx -pvk "D:\Certificate\IDServer.pvk" -spc "D:\Certificate\IDServer.cer"
-pfx "D:\Certificate\IDServer.pfx"
Client Certificate (PFX Format)
pvk2pfx -pvk "D:\Certificate\IDClient.pvk" -spc "D:\Certificate\IDClient.cer"
-pfx "D:\Certificate\IDClient.pfx"
Step: #3
We need to Import CA into Trusted Root Certification Authorities certificate store
Import Certificate Authority "CN=Token Root CA"
certutil -user -addstore Root "D:\Certificate\IDRootCA.cer"
Note: Here I import the Certificate only for the current user "-user". For more details refer http://certificate.fyicenter.com/685_Microsoft_CertUtil_Microsoft_certutil_-user_Certificate_St.html
Execute all the above said commands using Command Prompt in Administrator Mode and navigate the path to "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin". The said path should contain the MakeCert.exe file (Ensure it once)
The above said Commands will create all the required Certificates of Identity Server
Identity Server Project:
Kindly use the Server Certificate "IDServer.pfx" instead of "idsrv3test.pfx" and Change the same in Certificates.cs and Web.config.
Note: The Private key is not required for this Self signed Certificate.
Finally the Client Console Application Code is
var cert = new X509Certificate2(@"IDClient.pfx");
var handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);
string tokenEndPoint = ConfigurationManager.AppSettings["TokenEndpoint"];
var client = new TokenClient(
tokenEndPoint,
"cc.WithCertificate",
handler);
// Calling the Token Service
var response = client.RequestClientCredentialsAsync("read").Result;
Finally I got the Access Token Successfully
Upvotes: 2
Related Questions
- IdentityServer: The remote certificate is invalid according to the validation procedure
- Identity Server 4. Getting error when using self-signed certificate
- remote certificate is invalid according to the validation procedure (Identity server Hosted in azure)
- AuthenticationException: The remote certificate is invalid according to the validation procedure
- Issues with x509 certificate and identityserver v2
- Client Certificate Authentication Error: "System.IO.IOException: Authentication failed because the remote party has closed the transport stream"
- IdentityServer3 Invalid provider type specified when using Self-Signed Certificate
- Identityserver fails to load selfsigned certificate
- Client certificate with Hybrid Authentication Flow
- IdentityServer3 Certificate error - The remote certificate is invalid according to the validation procedure