I have deployed an ASP.NET 6 solution based on the ASP.NET 6 ReactJS template into a Linux CentOS/Apache hosting environment.
According to the error message provided below, It seems I need to alter the algorithm for the signature provider, yet I am at a loss of how exactly to do this.
System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'RS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'xxxxxxxxxxxx', InternalId: 'xxxxxxx'.' is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
I have found several FAQs indicating to use ECDSA or similar instead, but no real examples of how exactly to implement this within my type of solution with examples of modifications in Program.cs or similar.
I would appreciate any tips of thoughts on this!
Thanks in advance!
You can use OpenSSL to create your own ECDSA key using:
#Create P256 ECDSA Private key
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -aes256 -out p256-private.pem
# Optionally, if you want to extract the public key:
openssl ec -in p256-private.pem -pubout -out p256-public.pe
# Create certificat file
openssl req -new -x509 -key p256-private-key.pem -days 365 -subj "/CN=MyP256Cert" -out p256-cert.crt
# Crete the PFX file
openssl req -new -x509 -key p256-private-key.pem -days 365 -subj "/CN=MyP256Cert" -out p256-cert.crt
Then you can load it in C# using:
var ecdsaCert = new X509Certificate2("es256.pfx", "password");
SecurityKey ecdsaPrivateKey = new ECDsaSecurityKey(ecdsaCert.GetECDsaPrivateKey());
You can add it to IdentityServer using something like this:
// Add ES256 (ECDSA using P-256 and SHA-256)
builder.AddSigningCredential(GetECDsaPrivateKey(p256Cert), IdentityServerConstants.ECDsaSigningAlgorithm.ES256);