We have an IdentityServer4-based STS that successfully runs on Windows, where the signature account was installed on the local computer with .pfx under Personal> Certificates and .cer under Trusted People> Certificates. Then we can load the Signing Credential using its common name as follows:
services.AddIdentityServer() .AddSigningCredential("CN=CERT_NAME") ...
Now we want to run our STS implementation in the Docker container and are executed with the following exception:
Unhandled Exception: System.PlatformNotSupportedException: Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores. at Internal.Cryptography.Pal.StorePal.FromSystemStore(String storeName, StoreLocation storeLocation, OpenFlags openFlags) at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags) at IdentityModel.X509CertificatesFinder.Find(Object findValue, Boolean validOnly) at Microsoft.Extensions.DependencyInjection.IdentityServerBuilderExtensionsCrypto.AddSigningCredential(IIdentityServerBuilder builder, String name, StoreLocation location, NameType nameType)
Based on the above error message and the source for the AddSigningCredential method we use here: https://github.com/IdentityServer/IdentityServer4/blob/ec17672d27f9bed42f9110d73755170ee9265116/src/IdentityServer4/Configuration/xtenction it seems obvious that our problem is that IdentityServer4 is looking for a certificate on the local Personal computer ("My"), however such a store is not available in Unix environments according to the error message.
So, I'm curious to know if there is any practice to load Signing Credential for IdentityServer4 in Docker containers if it is not possible to load it by name or fingerprint. Will the only option be to associate a certificate with our application and then upload it by file name?
Thanks for any help you can offer!
docker x509 identityserver4
Sean
source share