Published on

Sitefinity Signing certificate not configured


When you first install 13.2 and log into the backend there’s now a big dashboard message that says

System errors
Signing certificate not configured: Identity server signing certificate has not been configured. You are using the default certificate. Configure your own certificate to prevent security risks.

It links to the following documentation page but as of this post, the docs have none of this information, it’s just “Fill these out”.

So this comes from Evgeni Viyachev from the team.

To add some clarity - there is a default built-in signing certificate embedded in the Identity Server source code that Sitefinity uses for authentication. This certificate is intended to be used only for development and testing purposes, not in Production environments. Hence, the Dashboard Status widget produces the warning/error message about the signing certificate in case a custom valid certificate has not been configured.

In your case, the valid LetsEncrypt certificate could not be found by Sitefinity and that is why the error message in the Status widget persisted. The code my colleague provided simply searches for a certificate with the provided subject name across all stores and locations in the system in order to confirm what values should be selected in the Sitefinity settings. Once it finds where the certificate is placed in the system, it returns the store name and its location. These are the values that should be input in Sitefinity (by selecting them from the respective dropdowns). Once these correct values are selected (and the correct subject name is input) and the system is restarted, Sitefinity will start using the new certificate instead of the default Identity Server certificate and the warning/error message will go away.

If the warning/error message is not present anymore, that means that the test certificate is no longer used. Therefore, you have input the correct values in the Sitefinity settings - the correct certificate has been picked up by the system. This is guaranteed because by default, if the values are incorrect and Sitefinity cannot find the certificate in the selected store name and location, it always falls back to the test certificate and the message comes up. Not having the message in the dashboard is the way to validate that the right certificate is being used.

I followed up asking how do we know it’s been configured properly

If there is nothing configured explicitly or if the settings are incorrect and the certificate cannot be found, there is the discussed warning in the Status widget. However, there are no other exceptions or malfunctions. This is because Sitefinity falls back to the embedded Identity Server certificate in that case. So, in the worst-case scenario, the built-in IdSrv test certificate is used, therefore there is never a symptom of the login not working.

Here’s the code to check your certs to find the proper values to use in the config