开发者

Unable to sign security tokens with certificate in WIF scenario

I'm trying to implement a custom STS for a WIF scenario I'm investigating, but it's failing. It's failing when trying to obtain the private key from the certificate used to sign the tokens. I create the STS with the following configuration:

var signingCert = new X509Certificate2(@"C:\<path>\MySigningCertificate.pfx");
var config
    = new SecurityTokenServiceConfiguration()
    {
        DisableWsdl = true,
        TokenIssuerName = "Tribold",
        SecurityTokenService = typeof(TriboldSecurityTokenService),
        SigningCredentials = new X509SigningCredentials(signingCert),
        CertificateValidationMode = X509CertificateValidationMode.Custom,
        CertificateValidator = new CertificateValidator()
    };

However, with WCF diagnostic logging configured, I get the following message in the Service Trace Viewer:

The private key is not present in the X.509 certificate.

This appears to be logged as the code comes out of my custom STS (i.e., after calling GetOutputClaimsIdentity(...) on my custom STS class, and therefore I can only assume that it's now trying to sign the issued security token and failing because it can't obtain a private key to do so.

The private key appears to be present on the loaded certificate:

Debug.As开发者_开发技巧sert(signingCert.HasPrivateKey == true);

but it fails later on. I'm having no luck resolving this, please help!


It looks like thread "cant use .pfx file for X.509 certificates" in the Geneva (= AD FS 2.0) forums covers the same problem which you report. So the resolution reported there might work, which is "specifying the X509KeyStorageFlags.PersistKeySet flag when initiating the X509Certificate2 object".


I'd be surprised if you didn't have to specify a password when opening a PFX file. X509Certificate2 has overloads that take a password in the form of a string or a SecureString.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜