Use certificate in Azure Key Vault to sign IdentityServer4

Question

I've uploaded a pfx certificate as a secret to my Azure Portal and I now want to use this to sign the credentials in IdentityServer4.

I've got reference to the vault in the startup of the api using:

builder.AddAzureKeyVault(
       $"https://{config["Vault"]}.vault.azure.net/",
       config["ClientId"],
       config["ClientSecret"]);

But not too sure how to get the certificate out to pass to:

 services.AddIdentityServer()
            .AddSigningCredential(...)

Is it possibly to be able to reference the certificate directly from the key vault, or do I need to deploy the cert to the web app the api is running on?

Thanks

Answer 1

You are already building the IConfiguration object, so you can reference the pfx key just like you would reference any other object from the configuration. If the key is in the keyvault you can reference it something like:

// Name of your pfx in the keyvault.
var key = _configuration["pfx"];
var pfxBytes = Convert.FromBase64String(key);

// Create the certificate.
var cert = new X509Certificate2(pfxBytes);
services.AddIdentityServer()
    .AddSigningCredential(cert);

I would recommend using the keyvault for this but you could decide to upload the pfx to the certificate store of the web app. You can do this in Azure by going to your web app -> SSL Certificates -> Upload certificate and enter the password. Go to the Application Settings and add the app setting WEBSITE_LOAD_CERTIFICATES : <thumbprint>. The last thing you would do is retrieve the certificate from the store and add it again like AddSigningCredential(cert);.