0

Running a freshly created IdentityServer4 Asp.Net Core based server. It "works" in the sense that it has been working without HTTPS, both in calls to authenticate and also to serve up some Asp.Net MVC views. I switched it to use HTTPS for my local development environment, generating certificates as per this article.

From a browser, it "works". I'm able to do as that article suggests in the case of Chrome and bypass the security warning to get to the web views. However, from a .Net client I'm using the IdentityModel NuGet package and just trying to access the metadata using the Discovery Endpoint now fails. The server gives a "Failed to authenticate HTTPS connection" IOException, and the client gives a "Certificate authority is invalid or incorrect" HttpRequestException.

I'm guessing this is related to the fact that in the browser things are interactive and I'm able to tell it to ignore the warning and proceed. But in code, and using that library in particular, it is giving me that exception and not proceeding. Maybe.

Is there any way to handle this scenario of running IdentityServer4/AspNetCore with HTTPS and a self-signed cert better? Is there something that can be done with the DiscoveryClient that I'm not seeing?

This question is similar but the re-generation of the certificate did not help in this case. And I was wondering if there were other causes or insights from the IdentityServer / DiscoveryClient angle.

Community
  • 1
  • 1
DennisWelu
  • 788
  • 13
  • 26

1 Answers1

5

Most probably the error "Certificate authority is invalid or incorrect" is because the client cannot trust the certificate of the server.You can install the certificate you created to the root certificate authority in your machine(where client is running).

  1. start MMC (mmc.exe), add the Certificates snap-in for a computer account, and manage certificates for the local computer.
  2. Select File > Add/Remove Snap-in.
  3. Click the Certificates snap-in and click Add.
  4. On the Certificates snap-in display, select Computer account and click Next.
  5. Select Local Computer and click Finish and then OK.
  6. In the left navigation pane, expand Certificates (Local Computer).
  7. Right-click on Trusted Root Certification Authorities and select All Tasks > Import.
  8. The Certificate Import Wizard opens. 10.Click Next. 11.Browse for the certificate you created and click Next.
  9. Select Place all certificates in the following store: Trusted Root Certification Authorities and click Next, then click Finish.

If you are running on iisexpress,it will run under your credentials.So you have to add it to the user store on step 4 . If you are running under IIS,you have to add the certificate to the Computer .You can also import to both store

select both user store and Computer store

user account store

after adding both snappins

certificate snappins

import the certificate

import the certificate

Community
  • 1
  • 1
Rohith
  • 5,527
  • 3
  • 27
  • 31
  • Many thanks ROHITH. Nice detailed answer! I moved on to "the next problem", having to do with the host name not matching, but I think the answer for that is found in here: https://github.com/IdentityServer/IdentityServer3/issues/553. – DennisWelu Apr 07 '17 at 04:22