Will my tokens still be possible to validate, if I have two different certificates based on the same private key?

286 views Asked by At

For my Identity Server 4, we have two different servers set up to host the application. I asked our operations team to install the same certificate on the two servers. However, they both have received different thumbprints, and the values in the certifiiates are different in the following fields: kid, x5t, n and the value in the x5c chain is also different between the two, when I load the .well-known/openid-configuration/jwks address. I've posted the keys below. Will this work? I thought the values would be the same for the x5c.0 value, if they were based on the same private key.

First key:

keys    
0   
kty "RSA"
use "sig"
kid "8366EB61F60720FE0FCC5C0E6BF3E5F8ACC98E2DRS256"
x5t "g2brYfYHIP4PzFwOa_Pl-KzJji0"
e   "AQAB"
n   "6sYPa_JNapDqcw3KgvlmtbrrCuYCd1sq3R_3Ao1aAW7bHjdN1isphP8eWsCA5WeTDmDSfE1GsN2ri0pyVY8LlqAYznEyqHI1FDVS_d601TMiq_WiMTapnQQKFdw0SF1xLNWVT13QsosgErYq0g7pJvlpYDRRXymU8Arw0LMya6nD2sMbFggYEpqMdT_j7KLiZ6oC_2G5v4VVaMdZOF8ppzUkFFtj4MU4k7J_8zVM1LbCy8vH8uyjxGqCsRzbryDu-yhQmPy1FIXBX4ZZgXy8gB2bLLPtndba9rmSFMq4VbWDjwe2hqAF7X4yvru0bGeu_4mxB10vxO2KPP9Sqaniqw"
x5c 
0   "MIIFvDCCA6SgAwIBAgITHQAAADE6PYCZMMXL9QAAAAAAMTANB8VHvcXFg4="
alg "RS256"
keys    
0   
kty "RSA"
use "sig"
kid "B2042B75C33612AC9BD31051B2821E5DEB4D0F34RS256"
x5t "sgQrdcM2Eqyb0xBRsoIeXetNDzQ"
e   "AQAB"
n   "zJiOYj3NhxS4vxte0GtimbMwu6DtFHISguFdlLaroRQaNciqVynyRYJ2v8y5194miwT_K3jtKnh9lSGz93Q7Z500kvmZjS9boqQFn8g-I_02FOUUcLzsJJOTcBGqt6lvja5YlVhdWKG92sq8RizkDm28GV6bdDLh8mbR6GtwyvD2iN7aHs7nE6Z-S5doFlkr4SJ9lUxNMr18WpQHqXvP3Z0lpr8E5DRVv80n5HS7u9uusZvhryOp1QgQGfikCqPc8XNcZ9GyXhtGJkHD-QlpUZVbondHZOCi5IKOUrq7LK4cgILB-zDVIGVpyl0JhhjCCp02wq9kWcgKAvTcb8m8Aw"
x5c 
0   "MIIFmjCCA4KgBpvenCRU6YuvZamis9K4OrGuKNK0EwNe1tbPMViVE++/H21P/utQ=="
alg "RS256"
1

There are 1 answers

3
Tore Nestenius On BEST ANSWER

Why don't you use the same signing key certificate with the same private key in both installations of IdentityServer?

you also need to keep in mind that the certificate for the domain name (the server) is separate from the token signing keys.

The token signing key needs to be the same in both instances. To install the private signing key, it can be convenient to wrap it up inside a X509 certificate.

A certificate contains a private key and you can have many certificates based on the save private key. I would use openssl to generate the private signing key for the tokens and keen the domain certificate separate, just to get a clear separation of concern. If you use Azure Key Vault, you can even create and store the keys there directly.