我应该使用什么证书存储来存储用于签名/加密JWT令牌的证书?

时间:2023-02-02 18:14:50

I'm adding support for JWT tokens in my Web Application, and I have an X509 certificate which it needs for signing those tokens.

我在我的Web应用程序中添加了对JWT令牌的支持,并且我有一个签署这些令牌所需的X509证书。

I have rejected the idea of using the same certificate we use for HTTPs (see Can I use the Private Key Certificate of Web App to sign JWT?).

我拒绝使用我们用于HTTP的相同证书的想法(请参阅我可以使用Web应用程序的私钥证书来签署JWT吗?)。

I think a self signed certificate should do the trick, in fact I can't see any advantages of a web of trust in this scenario (that doesn't mean there aren't any, I just can't think of any).

我认为自签名证书应该可以做到这一点,事实上我在这种情况下看不到任何信任网的优势(这并不意味着没有任何优势,我根本无法想到)。

The web application runs on a farm of web servers. My current plan is to generate a self signed cert and put the X509 certificate into the certificate store in Windows on each machine. Our IT department are checking, but they think they can roll that out to all the Web Servers in the farm using Group Policy. So this seems like a feasible plan.

Web应用程序在Web服务器场上运行。我目前的计划是生成自签名证书,并将X509证书放入Windows中的证书存储区中。我们的IT部门正在检查,但他们认为可以使用组策略将其推送到服务器场中的所有Web服务器。所以这似乎是一个可行的计划。

The certificate store in windows looks pretty confusing to me. I think there are two options:

Windows中的证书存储看起来很混乱。我认为有两种选择:

1) Put it in "My" store for the user under which the IIS App pool run. There are many app pools, so potentially the certificate will be in many stores.

1)将其放在“我的”商店中,供运行IIS App池的用户使用。有许多应用程序池,因此证书可能存在于许多商店中。

2) Put it under the LocalMachine store, and then grant explicit access to the specific certificate for the IIS user(s).

2)将其放在LocalMachine存储下,然后授予对IIS用户的特定证书的显式访问权限。

3) Something else I can't think of.

3)我无法想到的其他东西。

Is there a "correct" place for these type of certs, and if so where is it?

这些类型的证书是否有“正确”的位置,如果是这样的话,它在哪里?

1 个解决方案

#1


The usual CertificateStore for signing certificates is the My store. I normally place them in LocalMachine location, but it is probably safer to put them in the certificate store for the Application Pool identity itself.

用于签署证书的通常CertificateStore是My store。我通常将它们放在LocalMachine位置,但将它们放在应用程序池标识本身的证书存储中可能更安全。

I would then give the Application Pool read-only access to this certificate only (right click certificate, then 'All Tasks' > 'Manage Private Keys', then add your Application Pool identity and give 'Read' permissions only.

然后,我将仅对应用程序池授予对此证书的只读访问权限(右键单击证书,然后单击“所有任务”>“管理私钥”,然后添加应用程序池标识并仅授予“读取”权限。

#1


The usual CertificateStore for signing certificates is the My store. I normally place them in LocalMachine location, but it is probably safer to put them in the certificate store for the Application Pool identity itself.

用于签署证书的通常CertificateStore是My store。我通常将它们放在LocalMachine位置,但将它们放在应用程序池标识本身的证书存储中可能更安全。

I would then give the Application Pool read-only access to this certificate only (right click certificate, then 'All Tasks' > 'Manage Private Keys', then add your Application Pool identity and give 'Read' permissions only.

然后,我将仅对应用程序池授予对此证书的只读访问权限(右键单击证书,然后单击“所有任务”>“管理私钥”,然后添加应用程序池标识并仅授予“读取”权限。