Changing signing certificates when using DataProtection

December 28, 2018 0 By Toby Worth

So I’m setting up IdentityServer 4 and have swapped out the default certificates ‘damienbodserver.pfx’ in the STS host and DataEventRecords API.

Now, this isn’t that simple, because the certificate was used to protect data inserted into the database and that was tied to keys, stored in a Key Store (either on filesystem or DB).

Trying to load the data back means the protected data will be decrypted as it comes out of the DB, via the repo’s call to DataProtectionProvider.Unprotect().

var unprotectedData = _protector.Unprotect(dataEventRecord.Description);

This method decrypts data on a per-property basis, equating to one database field/column.

so, I got an error:
The key {f7d1…} was not found in the key ring.

This error occurs because when the data in the DB is first protected, the key used to protect it is stored in the Key Store. The key is linked to the property being protected and the certificate used to sign the protected keys.

If the certificate changes, then the signature changes and can no longer be verified against the stored keys or the encrypted data in the DB. This is necessary to prevent various attacks on the DB, including copying the DB file or accessing the DB from a faked API instance (e.g. one that has DB access, but does not have a copy of the certificate + secret).

Either the data has to be re-seeded or the original certificate has to be used to decrypt the data.

Follow up: How to decrypt protected data without installing the certificate