I can’t remember how many times I’ve had to generate a new self-signed certificate for token signing when developing IdentityServer solutions, always going back to the same Google Doc, that I wrote years ago, containing a makecert script I pieced together from a collection of other articles. So, even though there is a silly number of these articles already, I’ve decided to put it online where I don’t need Google Docs access to view it!
This approach is a lot more UI driven for passwords and export processes, but I’ve had consistent results doing this over trying to include passwords and export filenames within the commands.
Yes, this can also be used for TLS, though I only do this for my development virtual machines, after all using Let’s Encrypt isn’t that awkward.
Creating a Self-Signed Certificate for Token Signing
First, we’ll make our own CA to create our signing certificates with. Keep a hold of this CA as certain client applications/relying partners will need to install it in order to validate the entire certificate chain, if they cannot read metadata articles (I’m looking at you, SharePoint).
makecert -r -pe -n "CN=ScottBrady91Root" -a sha512 -sky signature -cy authority -sv ScottBrady91Root.pvk -len 4096 -e 01/04/2099 ScottBrady91Root.cer
Now lets create a certificate using our CA.
makecert -pe -n "CN=ScottBrady91" -a sha512 -len 4096 -sky exchange -ic ScottBrady91Root.cer -iv ScottBrady91Root.pvk -sv ScottBrady91.pvk ScottBrady91.cer
Now we need a private key to be created from the pvk, so let's do that using the pvk2pfx tool, ensuring you export the private key when prompted.
pvk2pfx -pvk ScottBrady91.pvk -spc ScottBrady91.cer
And that’s all there is to it! There are arguments for and against long lived certificates for token signing, so make sure you use a lifetime that makes sense to you and your organization's certificate policy.
All of these tools are available in the Visual Studio Developer Command Prompt.
Windows Certificate Store
If you’re going to be installing your certificates make sure you do the following:
- CA: Installed in your Local Machine’s Trusted Root Certification Authorities store
- PFX: Installed in your Local Machine’s Personal store, with private keys set to exportable
- IIS Permissions: If applicable, give your IIS site permissions for the private key (right click certificate > All Tasks > Manage Private Keys)