OpenIddict error with AddSigningCertificate

I am trying to signin certificate (OpenIddict), but I get error when trying with thumbprint:

options.AddSigningCertificate(Configuration["Certificate"]/* db b9 12 .... 22 */);

and the error:

Application startup exception:
System.Security.Cryptography.CryptographicException: OpenCSP failed
with error code 2148073494.

in this line:

app.UseOpenIddict();

If I tried with X509Certificate2 I also get error:

var cert = new X509Certificate2(Configuration["Certificate"]/*path to file.cer*/);

options.AddSigningCertificate(cert);

and the error:

System.InvalidOperationException: The certificate doesn't contain the
required private key.

in same line app.UseOpenIddict();.

I am using the same certificate that I am using for https protocol. Is this OK?
My active tokens are randomly gone (and I get invalid_token when trying to refresh the token). I find somewhere that this happens if AddEphemeralSigningKey is used, because when connection is dropped (because of IIS idle timeout), all tokens are lost. Because of that I am trying to use AddSigningCertificate.

Is there another way? Can someone tell me, what is wrong with certificate? Thank you.

I am using ASP.NET Core 1.1.1.

I add read rights to IIS user for .cer file.

certificate

edited Apr 19 '17 at 6:40

asked Apr 19 '17 at 5:10

Makla

3,04032566

add a comment |

I am trying to signin certificate (OpenIddict), but I get error when trying with thumbprint:

options.AddSigningCertificate(Configuration["Certificate"]/* db b9 12 .... 22 */);

and the error:

Application startup exception:
System.Security.Cryptography.CryptographicException: OpenCSP failed
with error code 2148073494.

in this line:

app.UseOpenIddict();

If I tried with X509Certificate2 I also get error:

var cert = new X509Certificate2(Configuration["Certificate"]/*path to file.cer*/);

options.AddSigningCertificate(cert);

and the error:

System.InvalidOperationException: The certificate doesn't contain the
required private key.

in same line app.UseOpenIddict();.

Is there another way? Can someone tell me, what is wrong with certificate? Thank you.

I am using ASP.NET Core 1.1.1.

I add read rights to IIS user for .cer file.

certificate

edited Apr 19 '17 at 6:40

asked Apr 19 '17 at 5:10

Makla

3,04032566

add a comment |

I am trying to signin certificate (OpenIddict), but I get error when trying with thumbprint:

options.AddSigningCertificate(Configuration["Certificate"]/* db b9 12 .... 22 */);

and the error:

Application startup exception:
System.Security.Cryptography.CryptographicException: OpenCSP failed
with error code 2148073494.

in this line:

app.UseOpenIddict();

If I tried with X509Certificate2 I also get error:

var cert = new X509Certificate2(Configuration["Certificate"]/*path to file.cer*/);

options.AddSigningCertificate(cert);

and the error:

System.InvalidOperationException: The certificate doesn't contain the
required private key.

in same line app.UseOpenIddict();.

Is there another way? Can someone tell me, what is wrong with certificate? Thank you.

I am using ASP.NET Core 1.1.1.

I add read rights to IIS user for .cer file.

certificate

edited Apr 19 '17 at 6:40

asked Apr 19 '17 at 5:10

Makla

3,04032566

I am trying to signin certificate (OpenIddict), but I get error when trying with thumbprint:

options.AddSigningCertificate(Configuration["Certificate"]/* db b9 12 .... 22 */);

and the error:

Application startup exception:
System.Security.Cryptography.CryptographicException: OpenCSP failed
with error code 2148073494.

in this line:

app.UseOpenIddict();

If I tried with X509Certificate2 I also get error:

var cert = new X509Certificate2(Configuration["Certificate"]/*path to file.cer*/);

options.AddSigningCertificate(cert);

and the error:

System.InvalidOperationException: The certificate doesn't contain the
required private key.

in same line app.UseOpenIddict();.

Is there another way? Can someone tell me, what is wrong with certificate? Thank you.

I am using ASP.NET Core 1.1.1.

I add read rights to IIS user for .cer file.

certificate

ssl asp.net-core asp.net-identity x509certificate2 openiddict

edited Apr 19 '17 at 6:40

asked Apr 19 '17 at 5:10

Makla

3,04032566

edited Apr 19 '17 at 6:40

asked Apr 19 '17 at 5:10

Makla

3,04032566

edited Apr 19 '17 at 6:40

asked Apr 19 '17 at 5:10

Makla

3,04032566

asked Apr 19 '17 at 5:10

Makla

3,04032566

asked Apr 19 '17 at 5:10

Makla

3,04032566

add a comment |

2 Answers
2

active

oldest

votes

I solved my problem with new certificate created with SelfCert (https://s3.amazonaws.com/pluralsight-free/keith-brown/samples/SelfCert.zip).

I then added certificate to project source and call AddSigningCertificate:

            if (this.env.IsDevelopment())

                options.AddEphemeralSigningKey();      

            else

                options.AddSigningCertificate(new FileStream(Directory.GetCurrentDirectory() + "/Resources/cert.pfx", FileMode.Open), "pass");

I also had to add full rights to file for IIS user. Read and execute right was not enough.

And that's it. It works.

answered Apr 20 '17 at 8:45

Makla

3,04032566

1

Using a separate certificate is indeed the right thing to do. Note: you should consider storing it in the machine store. The error you were seeing was likely caused by the fact the IIS app pool identity was not allowed to access the private key. You can read bartwullems.blogspot.com/2012/02/… for more information.

– Pinpoint
Apr 20 '17 at 12:09

add a comment |

For use a cert in the machine personal store.

You must give permisions to the app pool of the site.

Go to machine certficate manager.

In the personal folder right click the certificate and select
All Task>Manage private keys (not sure the options in english, my os is spanish)

In the security window add the app pool user, you can see it in the basic configuration of your site or aplication

IIS APPPOOLhere_your_app_pool_name

then can use it in the Startup with

 options.AddSigningCertificate("here cert thumbprint, look for it in cert info");

answered Nov 21 '18 at 19:31

FRL

57057

add a comment |

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f43486879%2fopeniddict-error-with-addsigningcertificate%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

            if (this.env.IsDevelopment())

                options.AddEphemeralSigningKey();      

            else

                options.AddSigningCertificate(new FileStream(Directory.GetCurrentDirectory() + "/Resources/cert.pfx", FileMode.Open), "pass");

I also had to add full rights to file for IIS user. Read and execute right was not enough.

And that's it. It works.

answered Apr 20 '17 at 8:45

Makla

3,04032566

1

Using a separate certificate is indeed the right thing to do. Note: you should consider storing it in the machine store. The error you were seeing was likely caused by the fact the IIS app pool identity was not allowed to access the private key. You can read bartwullems.blogspot.com/2012/02/… for more information.

– Pinpoint
Apr 20 '17 at 12:09

add a comment |

            if (this.env.IsDevelopment())

                options.AddEphemeralSigningKey();      

            else

                options.AddSigningCertificate(new FileStream(Directory.GetCurrentDirectory() + "/Resources/cert.pfx", FileMode.Open), "pass");

I also had to add full rights to file for IIS user. Read and execute right was not enough.

And that's it. It works.

answered Apr 20 '17 at 8:45

Makla

3,04032566

1

Using a separate certificate is indeed the right thing to do. Note: you should consider storing it in the machine store. The error you were seeing was likely caused by the fact the IIS app pool identity was not allowed to access the private key. You can read bartwullems.blogspot.com/2012/02/… for more information.

– Pinpoint
Apr 20 '17 at 12:09

add a comment |

            if (this.env.IsDevelopment())

                options.AddEphemeralSigningKey();      

            else

                options.AddSigningCertificate(new FileStream(Directory.GetCurrentDirectory() + "/Resources/cert.pfx", FileMode.Open), "pass");

I also had to add full rights to file for IIS user. Read and execute right was not enough.

And that's it. It works.

answered Apr 20 '17 at 8:45

Makla

3,04032566

            if (this.env.IsDevelopment())

                options.AddEphemeralSigningKey();      

            else

                options.AddSigningCertificate(new FileStream(Directory.GetCurrentDirectory() + "/Resources/cert.pfx", FileMode.Open), "pass");

I also had to add full rights to file for IIS user. Read and execute right was not enough.

And that's it. It works.

answered Apr 20 '17 at 8:45

Makla

3,04032566

answered Apr 20 '17 at 8:45

Makla

3,04032566

answered Apr 20 '17 at 8:45

Makla

3,04032566

answered Apr 20 '17 at 8:45

Makla

3,04032566

1

Using a separate certificate is indeed the right thing to do. Note: you should consider storing it in the machine store. The error you were seeing was likely caused by the fact the IIS app pool identity was not allowed to access the private key. You can read bartwullems.blogspot.com/2012/02/… for more information.

– Pinpoint
Apr 20 '17 at 12:09

add a comment |

1

Using a separate certificate is indeed the right thing to do. Note: you should consider storing it in the machine store. The error you were seeing was likely caused by the fact the IIS app pool identity was not allowed to access the private key. You can read bartwullems.blogspot.com/2012/02/… for more information.

– Pinpoint
Apr 20 '17 at 12:09

Using a separate certificate is indeed the right thing to do. Note: you should consider storing it in the machine store. The error you were seeing was likely caused by the fact the IIS app pool identity was not allowed to access the private key. You can read bartwullems.blogspot.com/2012/02/… for more information.

– Pinpoint
Apr 20 '17 at 12:09

add a comment |

For use a cert in the machine personal store.

You must give permisions to the app pool of the site.

Go to machine certficate manager.

In the personal folder right click the certificate and select
All Task>Manage private keys (not sure the options in english, my os is spanish)

In the security window add the app pool user, you can see it in the basic configuration of your site or aplication

IIS APPPOOLhere_your_app_pool_name

then can use it in the Startup with

 options.AddSigningCertificate("here cert thumbprint, look for it in cert info");

answered Nov 21 '18 at 19:31

FRL

57057

add a comment |

For use a cert in the machine personal store.

You must give permisions to the app pool of the site.

Go to machine certficate manager.

In the personal folder right click the certificate and select
All Task>Manage private keys (not sure the options in english, my os is spanish)

In the security window add the app pool user, you can see it in the basic configuration of your site or aplication

IIS APPPOOLhere_your_app_pool_name

then can use it in the Startup with

 options.AddSigningCertificate("here cert thumbprint, look for it in cert info");

answered Nov 21 '18 at 19:31

FRL

57057

add a comment |

For use a cert in the machine personal store.

You must give permisions to the app pool of the site.

Go to machine certficate manager.

In the personal folder right click the certificate and select
All Task>Manage private keys (not sure the options in english, my os is spanish)

In the security window add the app pool user, you can see it in the basic configuration of your site or aplication

IIS APPPOOLhere_your_app_pool_name

then can use it in the Startup with

 options.AddSigningCertificate("here cert thumbprint, look for it in cert info");

answered Nov 21 '18 at 19:31

FRL

57057

For use a cert in the machine personal store.

You must give permisions to the app pool of the site.

Go to machine certficate manager.

In the personal folder right click the certificate and select
All Task>Manage private keys (not sure the options in english, my os is spanish)

In the security window add the app pool user, you can see it in the basic configuration of your site or aplication

IIS APPPOOLhere_your_app_pool_name

then can use it in the Startup with

 options.AddSigningCertificate("here cert thumbprint, look for it in cert info");

answered Nov 21 '18 at 19:31

FRL

57057

answered Nov 21 '18 at 19:31

FRL

57057

answered Nov 21 '18 at 19:31

FRL

57057

answered Nov 21 '18 at 19:31

FRL

57057

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

Search This Blog

Ufyukyu