Generating OpenIddict Certificates
To configure OpenIddict with encryption and signing certificates, follow these steps to generate the necessary files.
1. Generate Private Keys
Create RSA private keys for both encryption and signing.
bash
openssl genrsa -out encrypt.key 2048
openssl genrsa -out signing.key 20482. Create Self-Signed Certificates
Generate X.509 certificates using the private keys created above. Adjust the -subj fields as necessary for your organization.
bash
# Encryption Certificate
openssl req -x509 -new -nodes \
-key encrypt.key \
-sha256 \
-days 365 \
-out encrypt-certificate.crt \
-subj "/C=VN/ST=Da Nang/L=Da Nang/O=BanTool/CN=prod.bantool.net"
# Signing Certificate
openssl req -x509 -new -nodes \
-key signing.key \
-sha256 \
-days 365 \
-out signing-certificate.crt \
-subj "/C=VN/ST=Da Nang/L=Da Nang/O=BanTool/CN=prod.bantool.net"3. Export to PFX (PKCS#12)
Combine the key and certificate into a .pfx file. Replace YOUR_STRONG_PASSWORD with a secure password.
bash
openssl pkcs12 -export \
-out encrypt.pfx \
-inkey encrypt.key \
-in encrypt-certificate.crt \
-passout pass:YOUR_STRONG_PASSWORD
openssl pkcs12 -export \
-out signing.pfx \
-inkey signing.key \
-in signing-certificate.crt \
-passout pass:YOUR_STRONG_PASSWORD4. Base64 Encode (Optional)
If you need to store these certificates in environment variables or secrets managers (like Azure Key Vault or Kubernetes Secrets), encode the .pfx files to Base64 strings.
bash
base64 -i encrypt.pfx > encrypt.pfx.base64.txt
base64 -i signing.pfx > signing.pfx.base64.txt