Thinktecture IdentityServer v3指南

本文介绍了Thinktecture IdentityServer v3指南-证书的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在准备Thinktecture IdentityServer v3的演示。目的是使身份服务器在Azure网站下作为其自己的网站运行。

I am working up a demo of Thinktecture IdentityServer v3. The intention is to have the identity server run as it's own website under Azure Websites.

将有其他（多个）Azure网站将使用身份服务器执行以下操作：验证用户身份。

There will be other (more than one) Azure Websites that will use the identity server to authenticate users.

根据入门指南（请参阅 github/thinktecture/Thinktecture.IdentityServer.v3/wiki/入门），我的这个主要是起作用。

Based on the getting started walkthrough (see github/thinktecture/Thinktecture.IdentityServer.v3/wiki/Getting-started) I have this mostly working.

我在遇到证书问题的地方。

Where I am having trouble is with the certificates.

对于演示，我想创建自己的证书证书-但是我不确定该怎么做。任何指导都会有所帮助。

For the demo, I'd like to create my own certificate - but I am unsure of what I need to do. Any guidance would be helpful.

我对此有其他疑问：

可以使用自签名证书吗？

在生产方案中，自签名证书是可以接受的，还是真的需要由受信任的根证书颁发机构签名？

li>

如何将这些证书安装到Azure网站（或可以从磁盘加载）

Are self-signed certificates able to be used?

In a production scenario, would self-signed certificates be acceptable, or would they really need to be signed by a trusted root authority?

How would these certificates be installed into an Azure Website (or can I load from disk)

推荐答案

好吧-严格来说，您需要两个证书-一个用于SSL和一个用于签名-从技术上讲，它们可以是相同的-但不必如此。它们也有不同的要求。

Well - strictly speaking you need two certificate - one for SSL and one for signing - technically they could be the same - but don't have to. They also have different requirements.

对于SSL，您需要在客户的受信任列表中拥有一个证书。通常，这要么是来自商业CA的证书，要么是来自内部PKI的证书。

For SSL - you need have a cert that is in the trusted list of your clients. Typically this is either a cert from a commercial CA - or from an internal PKI.

对于签名证书，您可以生成自己的证书，例如

For the signing cert - you can generate your own - e.g. using makecert.

IdSrv在加载证书时非常灵活-您可以从任意来源检索它们-通常是从Windows证书存储区（当您具有对服务器的管理员级别访问权限时） ）-文件系统，还是来自嵌入式资源。

IdSrv is pretty flexible in loading certs - you can retrieve them from arbitrary sources - typically from the windows certificate store (when you have admin level access to the server) - or the file system, or from an embedded resource.

我们的示例主机使用嵌入式资源方法，该方法对于Azure WebSite确实适用。对于生产场景，您通常需要更大的灵活性（例如，用于翻转）-因此，我将考虑从Blob存储。

Our sample host uses the embedded resource approach which does work fine for Azure WebSites. For production scenarios you typically want more flexibility (e.g. for roll over) - so I would look into loading it from e.g. blob storage.