Closed davisnw closed 9 years ago
We've known about this issue and the attitude was that you shouldn't be using the same CN in multiple certs.
From the following links, it is recommended to use different keys for signing than for encryption, which would seem to contradict the assertion that you shouldn't be using the same CN in multiple certs.
right - but it is not recommended to have multiple certs with the same name in the same certificate store. No issue with using different names for signing and encryption certs.
If I understand what you're saying, you're suggesting that if we have two certs for different purposes (signing vs encryption) for the same CN, then they should each be in a different certificate store.
Maybe I'm missing something - but I don't see that IdentityServer allows you to specify which certificate store to retrieve the certificate from.
Also, other applications seem to support selecting a specific cert when two certs with the same CN are present. For example, IIS has no problem picking up the correct cert (I assume it finds by ThumbPrint). SharePoint 2013 also appears to locate certificates via ThumbPrint for its "Trusted Identity Provider" functionality.
No - I am saying that you should give each cert a unique name.
I'm not sure giving each cert a unique name is viable. I think external applications require the CN of the certificate to match the realm. I'll do a little testing against an IdentityServer/SharePoint installation I have.
Also, when you say "it is not recommended to have multiple certs with the same name in the same certificate store" upon what is that based? Is it just because IdentityServer doesn't support it, or are their larger issues of which you are thinking?
Only SSL certs have a requirement that the CN matches the DNS name. Signing/encryption certs can be called whatever you like.
Ok, I see. And I verified that it works in my environment by specifying an arbitrary unique CN for the certificate shared between KeyMaterialConfiguration
and my SharePoint trusted identity provider.
Thanks for your help - I really appreciate your quick responses.
If there are multiple certificates in the machine store that have the same CN, then IdentityServer may pull back the wrong certificate based on the
SigningCertificateName
ofKeyMaterialConfiguration
.When this occurs the issued tokens will be rejected by other applications.
I believe the problem lies in
Thinktecture.IdentityServer.Repositories.Sql.Mappings
I believe there are two things that need to happen to resolve this: