我们正在 Kubernetes 上开发一个微服务应用程序。微服务之一是 IdentityServer 实例。最初,我想在 Docker 上本地测试该解决方案以确保它有效。为此,我想将证书复制到 appsettings.json。最终,该值将被 Kubernetes 机密替换。在我的启动课程中,这就是我尝试加载证书的方式:
services.AddIdentityServer()
.AddSigningCredential(GetIdentityServerCertificate())
.AddConfigurationStore(...
private X509Certificate2 GetIdentityServerCertificate()
{
var clientSecret = Configuration["Certificate"];
var pfxBytes = Convert.FromBase64String(clientSecret);
var certificate = new X509Certificate2(pfxBytes, "PasswordHere");
return certificate;
}
证书是我使用 openssl 生成的:
openssl req –newkey rsa:2048 –nodes –keyout XXXXX.key –x509 –days 365 –out XXXXX.cer
openssl pkcs12 –export –in XXXX.cer –inkey XXXX.key –out XXXX.pfx
然后我使用以下方法获得证书:
$pfxFilePath = 'C:\XXXX.pfx'
$pwd = 'PasswordHere'
$flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$collection.Import($pfxFilePath, $pwd, $flag)
$pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12
$clearBytes = $collection.Export($pkcs12ContentType)
$fileContentEncoded = [System.Convert]::ToBase64String($clearBytes)
我获取$fileContentEncoded值并将其粘贴到appsettings.json.
当我调试它时,结果是:error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure当我尝试X509Certificate2使用上述方法创建对象时。