I don’t really like the term “token signing certificate” because it sounds so soft. You have a private key (as part of the certificate), and everyone knows that you must protect your private keys!
I would not save this in your application files. If someone receives the source code, they should also not receive the keys to your confidential data (if someone has your signature certificate, they can generate any token that they like and pretend to be one of your users).
AWS. , . AWS, - Devs ! .
. /.
. Stu.
2 AWS Nuget
- AWSSDK.Extensions.NETCORE.Setup
- AWSSDK.SimpleSystemsManagement
2 AWS SSM Store, :
/MyApp/Staging/SigningCertificate
, - .pfx Base64./MyApp/Staging/SigningCertificateSecret
, - .pfx
:
private X509Certificate2 GetSigningCertificate()
{
var awsOptions = Configuration.GetAWSOptions();
var ssmClient = awsOptions.CreateServiceClient<IAmazonSimpleSystemsManagement>();
var res = ssmClient.GetParametersByPathAsync(new Amazon.SimpleSystemsManagement.Model.GetParametersByPathRequest()
{
Path = "/MyApp/Staging",
WithDecryption = true
}).GetAwaiter().GetResult();
var base64EncodedCert = res.Parameters.Find(p => p.Name == "/MyApp/Staging/SigningCertificate")?.Value;
var certificatePassword = res.Parameters.Find(p => p.Name == "/MyApp/Staging/SigningCertificateSecret")?.Value;
byte[] decodedPfxBytes = Convert.FromBase64String(base64EncodedCert);
return new X509Certificate2(decodedPfxBytes, certificatePassword);
}
public void ConfigureServices(IServiceCollection servies)
{
var identityServerBuilder = services.AddIdentityServer();
var signingCertificate = GetSigningCertificate();
identityServerBuilder.AddSigningCredential(signingCertificate);
}
, / IAM EC2, SSM.
: - SSL- beanstalk . S3. AWS : Amazon S3