IdentityServer4: PFX certificate for production use?

Question

In the sample code, there is a PFX certificate file called "idsrv3test.pfx"

How do I configure a PFX certificate for production use? Can I use a self-sign PFX?

Answer 1

Ref: ASP.NET Core Authentication with IdentityServer4

As mentioned in my previous post, it’s possible to create self-signed certificates for testing this out with the makecert and pvk2pfx command line tools (which should be on the path in a Visual Studio Developer Command prompt).

• makecert -n "CN=AuthSample" -a sha256 -sv IdentityServer4Auth.pvk -r IdentityServer4Auth.cer

  • This will create a new self-signed test certificate with its public key in IdentityServer4Auth.cer and it’s private key in IdentityServer4Auth.pvk.

• pvk2pfx -pvk IdentityServer4Auth.pvk -spc IdentityServer4Auth.cer -pfx IdentityServer4Auth.pfx

  • This will combine the pvk and cer files into a single pfx file containing both the public and private keys for the certificate. Our app will use the private key from the pfx to sign tokens. Make sure to protect this file. The .cer file can be shared with other services for the purpose of signature validation.

From a security stand point pay special attention to:

Note that you should not load the certificate from the app path in production; there are other AddSigningCredential overloads that can be used to load the certificate from the machine’s certificate store.

In a production environment you should be using CertMgr.msc (or the platform equivalent) to store your certificate with private key in the local computer's certificate store (not any particular user's certificate store). When importing the certificate with CertMgr.msc be sure to tick "Mark this certificate as exportable" otherwise the private key will not be accessible to your service to sign data with. This is just like installing SSL/TLS Certificates for IIS consumption.