IdentityServer 3 signing certificate expiry
What happens when the signing certificate (used for signing jwt tokens) expires when using IdentityServer 3?
It's unclear to me and I can't find any documentation, other than that it's possible to get a warning that it has expired. (Ref. https://identityserver.github.io/Documentation/docsv2/configuration/events.html)
Is there any mechanism that stops the use of expired signing certs?
And what happens on the client side (client being the Web API that uses IdentityServer for authentication) when validating a token signed by an expired certificate? (For example if https://github.com/IdentityServer/IdentityServer3.AccessTokenValidation is used as a middleware.)
Well I've just tested this (on IdentityServer4) and it seems to continue to work happily with an expired signing certificate, here's my test cert's validity:
I'm able to login, get an ID token and an access token and then access an API with the access token. What IdentityServer does do however is to log a warning:
2017-07-13 12:15:54.871 +02:00 [Warning]
Certificate "CN=test_expired_signing_certificate" has expired on "13/07/2016 14:14:37"
This matches what the IdentityServer (3) docs say here:
IdentityServer raises a number of events at runtime, e.g:
snip...
- Expired/invalid/no signing certificate
By default these events are forwarded to the configured log provider - a custom event service can process or forward them in any way suitable for the environment.
So this would be your way of detecting it when it's already too late. A better option is to rollover signing keys periodically and within the validity of the keys, this is the common approach which also allows for a compromised key to be revoked if necessary. See this issue where the process is discussed, basically IdentityServer can handle two keys:
[Middleware refreshes] the metadata document ... once a day.
The metadata doc can hold 2 keys - primary and secondary and the middleware will load and use both when present (JWTs have a key identifier that allows picking the right one).
When you start to rollover - set both keys and at some point swap primary and secondary.
- Parsing a DN from certificate in pem format (correct order)
- OpenSSL CSR subject line variation with use of emailAddress
- Smallstep X509 Certificates cause SEC_ERROR_BAD_DER in Firefox
- getting error while trying to convert pfx without password to jks
- Write x509 certificate into PEM formatted string in java?
- What is the correct way to free output buffer after call to openssl::i2d_X509?
- Extract properties from a CRL file using C#
- How to connect to MongoDB with certificate using DataGrip?
- go parse in ecdsa public key in uncompressed hex format to ecdsa.PublicKey
- X509_STORE_CTX_init calls free on X509_STORE_CTX?
- Creating an x509 v3 user certificate by signing CSR
- How to extract the AuthorityKeyIdentifier from a X509Certificate2 in .NET
- How can I transform between the two styles of public key format, one "BEGIN RSA PUBLIC KEY", the other is "BEGIN PUBLIC KEY"
- Cannot parse TPM2.0 public key
- How to mock/create X509Certificate2 for unit testing?
- Creating X509 certificate in C using post-quantum public key algorithm?
- Cannot create Microsoft Graph API subscription using self signed C# X509Certificate2
- How to verify if my certificate is successfully added to device keychain
- Checking digital signature on EXE
- How to use OpenSSL for self-signed certificates with custom CA and proper SAN settings?
- Does anyone know how to generate a ValueType of X509PKIPathv1 in the BinarySecurityToken of a SOAP WSSE header?
- OpenSSL as a CA without touching the certs/crl/index/etc environment
- How to configure Mongo client to login regardless of whether the Mongo server requires x509 authentication or nothing
- Get chain or CA issuer from x509 certificate using OpenSSL CLI
- How are ssl certificates verified?
- Is there a (simple) way to parse CRL in Python?
- How to create a single line x509 certificate that can be parsed by OpenSSL commandline tool
- Check signature for x509 certificate
- X509Chain building using a custom certificate store
- Java Invalid keystore format