Search code examples
identityserver3digital-certificatex509certificate2

IdentityServer3 Invalid provider type specified when using Self-Signed Certificate

I'm trying to secure asp.net web api using IdentityServer3 library.

I created a self-signed certificate for signing the security tokes as following:

My Self-Sign Certificate

Then I got the following exception when I call my Authorization Server

http://localhost:53180/connect/token

"InnerException": {
    "Message": "An error has occurred.",
    "ExceptionMessage": "Invalid provider type specified.\r\n",
    "ExceptionType": "System.Security.Cryptography.CryptographicException",
    "StackTrace": "   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)\r\n   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)\r\n   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()\r\n   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)\r\n   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()\r\n   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()\r\n   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)\r\n   at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures) in c:\\workspace\\WilsonForDotNet45Release\\src\\System.IdentityModel.Tokens.Jwt\\AsymmetricSignatureProvider.cs:line 147"

It seems there is a problem with certificate private key:

Private Key Problem Please help!

Solution

  • See: https://github.com/IdentityServer/IdentityServer3/issues/2859

    You need a certificate with a private key managed by a legacy CSP, not CNG.

    If you're running on Windows Server 2016 or Windows 10, the New-SelfSignedCertificate commandlet has been extended substantially and now includes all the options you need. The following command will generate a certificate suitable for token signing, with the private key managed by a legacy CSP:

    New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my `
 -FriendlyName "Token Signing" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3") `
 -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -KeySpec Signature `
 -DnsName ([System.Net.Dns]::GetHostByName($env:computerName).HostName)

    The key part is the -KeySpec Signature which forces the use of a legacy CSP for the private key.