StarterSTS Documentation

Certificate configuration (certificates.config)

Before you can anything useful with StarterSTS, you have to configure the certificates for token signing and SSL endpoints.

There are three general types of certificates you can specify in this configuration file:

• SSL
  This reference must point to the SSL certificate that is used to protect the STS web site. This certificate is also used to protect all mixed mode security endpoints and WS-Trust metadata.
• SigningCertificate
  This certificate is used to sign all issued tokens (can be the same as SSL).
• BridgedSigningCertificate
  This certificate is used to sign all issued tokens that result from bridged authenticated (e.g. OpenID). You should use a different certificate for bridged authentication than you use for native authentication, so the relying party can distinguish between the two authentication sources.

<certificateReferences>
  <!-- STS signing certificate -->
  <!-- this is always needed (can be the same as the SSL certificate) -->
  <add name="SigningCertificate"
       findValue="586a267558EA22012A68A9774426EB3FF9995AC2"
       x509FindType="FindByThumbprint"
       storeLocation="LocalMachine"
       storeName="My" />

  <!-- certificate used to sign bridged authentication tokens (e.g. OpenID) -->
  <!-- be aware that bridged authentication can usually makes less security guarantees -->
  <!-- so depending on your scenario, this should be a different key than the standard signing key -->
  <add name="BridgedSigningCertificate"
       findValue="83ab8125ffa06ac06a6bff2dae6a51d3092a241f"
       x509FindType="FindByThumbprint"
       storeLocation="LocalMachine"
       storeName="My" />

  <!-- SSL certificate-->
  <!-- this is needed for general SSL protection (web frontend, mixed mode WS-Trust) -->
  <add name="SSL"
       findValue="586A267558EA22012A68A9774426EB3FF9995AC2"
       x509FindType="FindByThumbprint"
       storeLocation="LocalMachine"
       storeName="My" />
</certificateReferences>

Configuration settings

• name
  Must be one of the three well-known names (SSL, SigningCertificate, BridgedSigningCertificate).
• findValue
  Some search value (e.g. a common name or thumbprint).
• findType
  Description of the findValue. Must map to a value of the X509FindType enum (e.g. FindByThumbprint).
• storeLocation and storeName
  Path to the certificate store. Typically LocalMachine and My