Skip to main content
Version: 2024

Token certificates in Azure

Introduction to token certificates in Azure

When Indicium is used as an OpenID server, it must add a signature to the access token to prove that it was created by an authorized Indicium instance. Indicium automatically creates a certificate that is used to sign the access token if OpenID clients are configured in IAM.

By default, Indicium stores this certificate locally, on the web server. In the case of a single Indicium instance (i.e. not load-balanced) this will work fine. However, when there are multiple instances of Indicium, the certificate must be stored elsewhere, since all servers must use the same certificate. If not, the access tokens created by instance A will not be authorized by instance B (or vice versa). Should the certificate be lost or replaced, all access keys will become unusable, but they can be easily requested again by the third party.

This manual describes how to centralize the storage of this certificate in Azure.

When using Indicium on Azure, the Server certificate must be stored in a Key Vault.

Create a Key Vault for certificates

  1. Create a Key Vault on the Azure Portal.

  2. Add an "Access Policy" to it to allow the Indicium instance Web App access.

  3. Select the Identity menu in the Indicium Web App.

  4. Check whether the Identity setting System Assigned is enabled.

  5. In the Key Vault, select +Add Access Policy from the Access Policy menu on the left-hand side.

  6. In the Secret permissions field, select the "Get" permission.

  7. In the Certificate permissions field, select the “Import” permission.

  8. In the Select principal field, select your Indicium Web App.

  9. Click Add. You are automatically returned to the Access Policy screen.

  10. Click Save to save the new access policy.

Add access policyAdd access policy

Add certificate settings to Indicium

To use the newly created Key Vault, you must set the KeyVaultCertificateUrl setting in the Indicium Web App.

In the appsettings.json configuration file, this KeyVaultCertificateUrl setting can be configured directly:

  "OpenIDServerSigningSettings": {
    "AzureKeyVault": {
      "KeyVaultCertificateUrl": "<key vault certificate url>"
    }
  }

Alternatively, you can store this setting in the App Service:

  1. In the App Service, select Settings > Configuration from the menu.

  2. Add the following Application settings:

Name: OpenIDServerSigningSettings:AzureKeyVault:KeyVaultCertificateUrl

Value: https://<name-of-the-key-vault>.vault.azure.net/certificates/<openid-server-certificate-name>

You can add a name to the certificate. This is how it will appear in the Azure Key Vault after it has been created by Indicium. It will be created only if OpenID clients are configured in IAM.

  1. To allow Indicium to generate the certificate, add setting: website_load_certificates with value “*”.

  2. Restart Indicium. This is required to automatically create the signing certificate.

Was this page helpful?