Provided certificate is not valid for encryption/decryption - identityserver3

I am using IdentityServer3 for authentication. The IdentityServer3 is using Signing certificate ( the certificate that is used for signing tokens) created using makecert ar per this article.
makecert -r -pe -n "CN=SigningOnlyCert" -b 01/01/2015 -e 01/01/2020 -sky signature -a sha256 -len 2048 -ss my -sr LocalMachine
This signing only certificate is been working fine with identyserver3
Now I am trying to add SAML2 external provider using SustainSys library. I configured SPOptions to load the same signing only certificate. like
Saml2AuthenticationOptions.SPOptions.ServiceCertificates.Add(LoadCertificateFromWindwosStore())
However its throws error
Provided certificate is not valid for encryption/decryption. There may
be insufficient permissions to its private key in the windows
certificate store or the certificate itself may not have the correct
purposes. If you only want to use it for signing, set the Use property
to Signing (CertificateUse.Signing).
When i debug library code, the actual exception is Bad Key. as mentioned in #412
Now sure why this certificate is not working with SustainSys, when it works with IdentityServer3?
(Note that if i create new SSL certificate as per #brockallen article,
makecert -r -pe -n "CN=SSLCert" -b 01/01/2015 -e 01/01/2020 -sky exchange -a sha256 -len 2048 -ss my -sr localMachine
then SustainSys library works with SSL certificate. But not with signonly certificate
)

That message indicates the certificate may not have the proper usage flags for encryption/decryption. But, if I am understanding you correctly, you don't actually want encryption. If so, you can specify that your intended use is Signing.
There is an overload of that ServiceCertificates.Add method which lets you specify the intended use, e.g.
Saml2AuthenticationOptions.SPOptions.ServiceCertificates.Add(
new ServiceCertificate
{
Certificate = LoadCertificateFromWindwosStore(),
Use = CertificateUse.Signing
}
);
The above would let you use it to sign outbound login/logout requests and would be published with use=signing in your metadata.
Note that this is different than the IDP's certificate which it uses to sign responses. That is configured along with the rest of the IDP information in the IdentityProviders list (ideally, using MetadataLocation to retrieve certificate automatically).

Related

Export an EV code signing certificate from eToken as .pem

In order to use an EV certificate for CI, GitHub actions offers this action: https://github.com/marketplace/actions/authenticode-cloud-signer
This takes advantage of Googles Key Management System (KMS) to deliver hardware key security with HSM.
The options are pretty self-explanatory except for the certificate option which requires the base64 encoded certificate chain in PEM format.
How does one export the certificate as .pem? I use SafeNet to manage the eToken if that helps.

How to check if a digital signature token has signing and encryption

I have a dsc token, im aware that they can be only signing, or they can be signing and encryption. How do i check?
KeyUsageFlag for X509 certificate is a bitwise flag.
Please refer: X509KeyUsageFlags Enum
There can be a single certificate with both the flag set (addation of values for DigitalSignature and KeyEncipherment) i.e. 128 + 32 or two different certificates. This depends on how Certifying Authority choses to issue the certificate.
How do i check?
Method 1: You must have Smartcard or USB Token driver installed which pushesh Certificates in token to Windows Certificate Store on inserting the token. Then run certmgr.msc to open Certificate Manager; go to Personal Certificates, double click the required certificate to open the Certificate Details and check Key Usage property in Details tab. Values displayed here are in Hex. like: Digital Signature (80)
Method 2:
You may filter on key values and check as above.
Install Signer.Digital Browser Extension as described here
Once Extension is installed and available in the browser, open any site so that browser loads extension script and execute below commands from the console of the browser
SignerDigital.getSelectedCertificate("", 32) - to list only Encryption Certificates
SignerDigital.getSelectedCertificate("", 128) - to list only DigitalSignature Certificates.
Here 32 and 128 are X509KeyUsageFilter values as discussed above.

How do I import a CSR reply back into my key-pair via command line?

I've created a keystore with an initial key-pair using keytool -genkeypair command, then generated the CSR using keytool -certreg command, then got it signed by our CA. Now that I got the CSR reply myCSRreply.cer, how do I incorporate the CSR reply with my original key-pair?
I've tried simply importing the CSR reply to my keystore using keytool -import command but that did not change my original key-pair. It simply added the CSR reply as another entry. I'm expecting it to change the issuer and thumbprint of my original key-pair.
I'm able to do what I want to achieve via KeyStore explorer as shown in the following screenshot but I need to know how to do this in command line.
If I tried importing where I specify the CSR reply file and the alias to my original key-pair, I'm getting the following error.
keytool error: java.lang.Exception: Failed to establish chain from
reply
The command I used to import CSR back into my key-pair that generated that error:
keytool -keystore myKeyStore.pfx -importcert -file myCSRreply.cer -alias mykeypair
Question
How do I import the CSR reply back into my key-pair via command line such that it's going to take the thumbprint and the issuer of the CSR reply as the new attributes of my original key-pair? (I'm just assuming this is the expected outcome because when I generate JWT using the private key that takes its thumbprint, authentication fails)
Is CSR reply really meant to alter the thumbprint and issuer attributes of the key-pair in which the CSR was generated from?
The command you're executing is fine. You don't have the complete certificate chain for the new certificate.
When you generated the mykeypair key pair, keytool wrapped mykeypair's public key in a self-signed certificate. (That's why you had to provide its expiration date and other details during generation.) As a result, it forms a complete certificate chain by itself; it's a root certificate. keytool always wants a complete certificate chain for every certificate.
When you attempt to import the CSR reply, you're importing a new certificate. At this time, keytool will try to build a certificate chain for it. keytool will search the key store and trust store until it reaches a trusted root certificate. If it can't do that, the import will fail.
Read the following documentation:
Import a Certificate for the CA
You now need to replace the self-signed certificate with a certificate chain, where each certificate in the chain authenticates the public key of the signer of the previous certificate in the chain, up to a root CA.
Before you import the certificate reply from a CA, you need one or more trusted certificates in your keystore or in the cacerts keystore file. See -importcert in Commands.
If the certificate reply is a certificate chain, then you need the top certificate of the chain. The root CA certificate that authenticates the public key of the CA.
If the certificate reply is a single certificate, then you need a certificate for the issuing CA (the one that signed it). If that certificate is not self-signed, then you need a certificate for its signer, and so on, up to a self-signed root CA certificate.
...
You import a certificate for two reasons: To add it to the list of trusted certificates, and to import a certificate reply received from a certificate authority (CA) as the result of submitting a Certificate Signing Request to that CA (see the -certreq option in Commands).
keytool Documentation

Is Self-Signed IdentityServer4 signing credential good enough in production?

We are using IdentityServer4 and our version loads the signing key from a PFX file in file system or from the windows certificate store. Using the certificate works. The question is - which certificate issuer should be used in production?
Is a certificate from a public CA recommended? Or is it enough to have a self-signed certificate (without a CA at all) such as it can be created with IIS Manager?
In our tests we have found that the client could still validate the signature in the access token, even if the signing certificate would not have a valid CA chain on the client.
In the docs, it says that you can also use raw key material instead of a certificate:
http://docs.identityserver.io/en/latest/topics/crypto.html#token-signing-and-validation
In this scenario there would be no CA chain whatsoever.
That leads me to the assumption, that when the client loads the public signing key (via the HTTP(s) endpoint), the CA chain information might not be passed anyways. Is that right? Through the loading mechanism via HTTPs you also have a combined security mechanism.
So my conclusion is that for the signing credential a self-signed cert is just as safe as one from VeriSign. Can this be confirmed?
There is no certificate involved in signing and verifying the tokens. Only a private and public key (RSA or ECDSA key).
However a certificate can be useful to "import/transport" the keys into .NET. So, because of that we don't care about who issued the certificate.
When importing the key, one approach is to bundle the certificate that holds the public key + the private key and store it in a PKCE#12 file (.pfx/.p12 extension). Then load that file into .NET. Before .NET 5 working with keys was a bit hard.
The more important thing is that you can manage and deploy the private key in a secure way and that it is persisted over time.
Optionally, you can add support for key-rotation.

Alexa Echo Beta SDK - Certificate issue

Amazon recently release Echo Alexa toolkit.
I received, registered my app. Alexa clearly recognizes my app exists. However it gives this error
Request Identifier:
amzn1.echo-api.request.d969c196-8b3e-4169-99c8-20f566889760 The
certificate does not have a path to a trusted authority. This happens
if you are using a self signed certificate. Voice feedback Echo heard:
"alexa start myapp"
I verified my COMODO CA (COMODO RSA Certification Auth) is on the list of authorized CA. I ensured my certificate bundle was valid.
Is there anything specific I need to ensure my bundle.crt is in the correct order for Alexa? (there is no mention that .com is required, I am using .net)
these my COMODO filenames.
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
mydomain-net.crt
ssl-bundle.crt
stn.private.key
Excited to get this to work ... please help
SA
I am now able to communicate with Alexa without issues. the source of the problem was the order of the certs and the incorrect directives in SSL and HTTP config files for apache.
I used
openssl s_client -connect 192.237.1.1:443
to verify that the certificate
Verify return code: 0 (ok)
Initially I was able to confirm the error by code and searched and fixed it.