2

I am using IdentityServer3 for authentication. The IdentityServer3 is using Signing certificate ( the certificate that is used for signing tokens) created using makecert ar per this article.

makecert -r -pe -n "CN=SigningOnlyCert" -b 01/01/2015 -e 01/01/2020 -sky signature -a sha256 -len 2048 -ss my -sr LocalMachine

This signing only certificate is been working fine with identyserver3

Now I am trying to add SAML2 external provider using SustainSys library. I configured SPOptions to load the same signing only certificate. like Saml2AuthenticationOptions.SPOptions.ServiceCertificates.Add(LoadCertificateFromWindwosStore()) However its throws error

Provided certificate is not valid for encryption/decryption. There may be insufficient permissions to its private key in the windows certificate store or the certificate itself may not have the correct purposes. If you only want to use it for signing, set the Use property to Signing (CertificateUse.Signing).

When i debug library code, the actual exception is Bad Key. as mentioned in #412

Now sure why this certificate is not working with SustainSys, when it works with IdentityServer3?

(Note that if i create new SSL certificate as per @brockallen article,

makecert -r -pe -n "CN=SSLCert" -b 01/01/2015 -e 01/01/2020 -sky exchange -a sha256 -len 2048 -ss my -sr localMachine

then SustainSys library works with SSL certificate. But not with signonly certificate )

LP13
  • 30,567
  • 53
  • 217
  • 400
  • can you clarify what you are trying to do with this certificate? E.g. inbound encrypted assertions, outbound signed requests, or both? – explunit Oct 17 '18 at 21:26
  • The SustainSys library needs that certificate for signing – LP13 Oct 17 '18 at 22:06

1 Answers1

0

That message indicates the certificate may not have the proper usage flags for encryption/decryption. But, if I am understanding you correctly, you don't actually want encryption. If so, you can specify that your intended use is Signing.

There is an overload of that ServiceCertificates.Add method which lets you specify the intended use, e.g.

Saml2AuthenticationOptions.SPOptions.ServiceCertificates.Add(
  new ServiceCertificate
  {
    Certificate = LoadCertificateFromWindwosStore(),
    Use = CertificateUse.Signing
  }
);

The above would let you use it to sign outbound login/logout requests and would be published with use=signing in your metadata.

Note that this is different than the IDP's certificate which it uses to sign responses. That is configured along with the rest of the IDP information in the IdentityProviders list (ideally, using MetadataLocation to retrieve certificate automatically).

explunit
  • 18,967
  • 6
  • 69
  • 94
  • So if i set `Use = CertificateUse.Signing`, is it okay to use `.cer` certificate that has only public key? Does SustainSys libarary use this certificate for any other purpose? – LP13 Oct 18 '18 at 15:19
  • No, you'll need private key in order to sign messages. If you set the Use = signing it will use for anything that needs a signed request (e.g. auth and logout requests). If you set Use = Both then it will also attempt to use it to decrypt any inbound assertions that are encrypted. – explunit Oct 18 '18 at 18:05
  • @explunit Isn't that exception message from the check you implemented where you ensure that the supplied certificate works for encryption/decryption? I.e. the usage flags created by MakeCert doesn't allow encryption/decryption? – Anders Abel Oct 19 '18 at 06:27
  • @AndersAbel yes that's right but based on the question/comments it seemed like encryption wasn't the desired outcome. Updated the answer to make that clear. – explunit Oct 19 '18 at 13:02