0

For my Identity Server 4, we have two different servers set up to host the application. I asked our operations team to install the same certificate on the two servers. However, they both have received different thumbprints, and the values in the certifiiates are different in the following fields: kid, x5t, n and the value in the x5c chain is also different between the two, when I load the .well-known/openid-configuration/jwks address. I've posted the keys below. Will this work? I thought the values would be the same for the x5c.0 value, if they were based on the same private key.

First key:

keys    
0   
kty "RSA"
use "sig"
kid "8366EB61F60720FE0FCC5C0E6BF3E5F8ACC98E2DRS256"
x5t "g2brYfYHIP4PzFwOa_Pl-KzJji0"
e   "AQAB"
n   "6sYPa_JNapDqcw3KgvlmtbrrCuYCd1sq3R_3Ao1aAW7bHjdN1isphP8eWsCA5WeTDmDSfE1GsN2ri0pyVY8LlqAYznEyqHI1FDVS_d601TMiq_WiMTapnQQKFdw0SF1xLNWVT13QsosgErYq0g7pJvlpYDRRXymU8Arw0LMya6nD2sMbFggYEpqMdT_j7KLiZ6oC_2G5v4VVaMdZOF8ppzUkFFtj4MU4k7J_8zVM1LbCy8vH8uyjxGqCsRzbryDu-yhQmPy1FIXBX4ZZgXy8gB2bLLPtndba9rmSFMq4VbWDjwe2hqAF7X4yvru0bGeu_4mxB10vxO2KPP9Sqaniqw"
x5c 
0   "MIIFvDCCA6SgAwIBAgITHQAAADE6PYCZMMXL9QAAAAAAMTANB8VHvcXFg4="
alg "RS256"

keys    
0   
kty "RSA"
use "sig"
kid "B2042B75C33612AC9BD31051B2821E5DEB4D0F34RS256"
x5t "sgQrdcM2Eqyb0xBRsoIeXetNDzQ"
e   "AQAB"
n   "zJiOYj3NhxS4vxte0GtimbMwu6DtFHISguFdlLaroRQaNciqVynyRYJ2v8y5194miwT_K3jtKnh9lSGz93Q7Z500kvmZjS9boqQFn8g-I_02FOUUcLzsJJOTcBGqt6lvja5YlVhdWKG92sq8RizkDm28GV6bdDLh8mbR6GtwyvD2iN7aHs7nE6Z-S5doFlkr4SJ9lUxNMr18WpQHqXvP3Z0lpr8E5DRVv80n5HS7u9uusZvhryOp1QgQGfikCqPc8XNcZ9GyXhtGJkHD-QlpUZVbondHZOCi5IKOUrq7LK4cgILB-zDVIGVpyl0JhhjCCp02wq9kWcgKAvTcb8m8Aw"
x5c 
0   "MIIFmjCCA4KgBpvenCRU6YuvZamis9K4OrGuKNK0EwNe1tbPMViVE++/H21P/utQ=="
alg "RS256"
FrankDrebin893
  • 105
  • 1
  • 13

1 Answers1

1

Why don't you use the same signing key certificate with the same private key in both installations of IdentityServer?

you also need to keep in mind that the certificate for the domain name (the server) is separate from the token signing keys.

The token signing key needs to be the same in both instances. To install the private signing key, it can be convenient to wrap it up inside a X509 certificate.

A certificate contains a private key and you can have many certificates based on the save private key. I would use openssl to generate the private signing key for the tokens and keen the domain certificate separate, just to get a clear separation of concern. If you use Azure Key Vault, you can even create and store the keys there directly.

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • I wanted to use the same X509. I fetch it from the Cert store. The certs are installed in the MMC on each of the host servers, so I grab it from there by thumbprint. And yes, to my understanding, the certificate does not have to be related to the domain name it's hosted on, trusted or anything else. But how would the certificate look if the private key is the same? Would thumbprint and all other values be equal? – FrankDrebin893 Oct 13 '20 at 07:05
  • Hi Tore. I ended up doing as you(and many others) suggested and generated a certificate myself. I've password protected it and included it in my repository for a start. It's only to test, I would prefer not to go into production like this. It works after solving some other issues. I think I'll try to use Azure Key Vault. I do not like using the MMC, because it's difficult to ensure it's setup, if we need to move to a different server etc. I think AKV would give me way more control as a developer, since I don't have access to the MMC on production machines. Thanks for your help. – FrankDrebin893 Oct 16 '20 at 11:41
  • I am using Azure Key Vault for most of my settings, certificates and keys nowdays. So much simpler to centralize it to on service. – Tore Nestenius Oct 18 '20 at 13:57