From fd0804525dae66bd62fac298cd4509e383cb9bec Mon Sep 17 00:00:00 2001
From: Sebastian <sebastian@squidex.io>
Date: Thu, 20 Feb 2020 18:12:15 +0100
Subject: [PATCH] Better key management.

---
 .../Squidex.Domain.Users.MongoDb/MongoKey.cs  |  23 ++++
 .../MongoKeyParameters.cs                     |  64 +++++++++
 .../MongoKeyStore.cs                          | 125 ++++++++++++++++++
 .../Config/Cert/IdentityCert.crt              |  29 ----
 .../Config/Cert/IdentityCert.key              |  52 --------
 .../Config/Cert/IdentityCert.pfx              | Bin 5389 -> 0 bytes
 .../Config/IdentityServerServices.cs          |  19 +--
 .../Squidex/Config/Domain/StoreServices.cs    |   3 +
 backend/src/Squidex/Squidex.csproj            |   2 -
 9 files changed, 216 insertions(+), 101 deletions(-)
 create mode 100644 backend/src/Squidex.Domain.Users.MongoDb/MongoKey.cs
 create mode 100644 backend/src/Squidex.Domain.Users.MongoDb/MongoKeyParameters.cs
 create mode 100644 backend/src/Squidex.Domain.Users.MongoDb/MongoKeyStore.cs
 delete mode 100644 backend/src/Squidex/Areas/IdentityServer/Config/Cert/IdentityCert.crt
 delete mode 100644 backend/src/Squidex/Areas/IdentityServer/Config/Cert/IdentityCert.key
 delete mode 100644 backend/src/Squidex/Areas/IdentityServer/Config/Cert/IdentityCert.pfx

diff --git a/backend/src/Squidex.Domain.Users.MongoDb/MongoKey.cs b/backend/src/Squidex.Domain.Users.MongoDb/MongoKey.cs
new file mode 100644
index 000000000..be77f9292
--- /dev/null
+++ b/backend/src/Squidex.Domain.Users.MongoDb/MongoKey.cs
@@ -0,0 +1,23 @@
+// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using MongoDB.Bson.Serialization.Attributes;
+
+namespace Squidex.Domain.Users.MongoDb
+{
+    public sealed class MongoKey
+    {
+        [BsonId]
+        public string Id { get; set; }
+
+        [BsonElement]
+        public string Key { get; set; }
+
+        [BsonElement]
+        public MongoKeyParameters Parameters { get; set; }
+    }
+}
diff --git a/backend/src/Squidex.Domain.Users.MongoDb/MongoKeyParameters.cs b/backend/src/Squidex.Domain.Users.MongoDb/MongoKeyParameters.cs
new file mode 100644
index 000000000..16dad01cf
--- /dev/null
+++ b/backend/src/Squidex.Domain.Users.MongoDb/MongoKeyParameters.cs
@@ -0,0 +1,64 @@
+// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using System.Security.Cryptography;
+
+#pragma warning disable IDE0017 // Simplify object initialization
+
+namespace Squidex.Domain.Users.MongoDb
+{
+    public sealed class MongoKeyParameters
+    {
+        public byte[] D { get; set; }
+
+        public byte[] DP { get; set; }
+
+        public byte[] DQ { get; set; }
+
+        public byte[] Exponent { get; set; }
+
+        public byte[] InverseQ { get; set; }
+
+        public byte[] Modulus { get; set; }
+
+        public byte[] P { get; set; }
+
+        public byte[] Q { get; set; }
+
+        public static MongoKeyParameters Create(RSAParameters source)
+        {
+            var mongoParameters = new MongoKeyParameters();
+
+            mongoParameters.D = source.D;
+            mongoParameters.DP = source.DP;
+            mongoParameters.DQ = source.DQ;
+            mongoParameters.Exponent = source.Exponent;
+            mongoParameters.InverseQ = source.InverseQ;
+            mongoParameters.Modulus = source.Modulus;
+            mongoParameters.P = source.P;
+            mongoParameters.Q = source.Q;
+
+            return mongoParameters;
+        }
+
+        public RSAParameters ToParameters()
+        {
+            var parameters = default(RSAParameters);
+
+            parameters.D = D;
+            parameters.DP = DP;
+            parameters.DQ = DQ;
+            parameters.Exponent = Exponent;
+            parameters.InverseQ = InverseQ;
+            parameters.Modulus = Modulus;
+            parameters.P = P;
+            parameters.Q = Q;
+
+            return parameters;
+        }
+    }
+}
diff --git a/backend/src/Squidex.Domain.Users.MongoDb/MongoKeyStore.cs b/backend/src/Squidex.Domain.Users.MongoDb/MongoKeyStore.cs
new file mode 100644
index 000000000..8faec7d51
--- /dev/null
+++ b/backend/src/Squidex.Domain.Users.MongoDb/MongoKeyStore.cs
@@ -0,0 +1,125 @@
+// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using System;
+using System.Collections.Generic;
+using System.Security.Cryptography;
+using System.Threading.Tasks;
+using IdentityModel;
+using IdentityServer4.Models;
+using IdentityServer4.Stores;
+using Microsoft.IdentityModel.Tokens;
+using MongoDB.Driver;
+using Squidex.Infrastructure.MongoDb;
+
+namespace Squidex.Domain.Users.MongoDb
+{
+    public sealed class MongoKeyStore : MongoRepositoryBase<MongoKey>, ISigningCredentialStore, IValidationKeysStore
+    {
+        private SigningCredentials? cachedKey;
+        private SecurityKeyInfo[]? cachedKeyInfo;
+
+        public MongoKeyStore(IMongoDatabase database, bool setup = false)
+            : base(database, setup)
+        {
+        }
+
+        protected override string CollectionName()
+        {
+            return "Key";
+        }
+
+        public async Task<SigningCredentials> GetSigningCredentialsAsync()
+        {
+            var (_, key) = await GetOrCreateKeyAsync();
+
+            return key;
+        }
+
+        public async Task<IEnumerable<SecurityKeyInfo>> GetValidationKeysAsync()
+        {
+            var (info, _) = await GetOrCreateKeyAsync();
+
+            return info;
+        }
+
+        private async Task<(SecurityKeyInfo[], SigningCredentials)> GetOrCreateKeyAsync()
+        {
+            if (cachedKey != null && cachedKeyInfo != null)
+            {
+                return (cachedKeyInfo, cachedKey);
+            }
+
+            var key = await Collection.Find(x => x.Id == "Default").FirstOrDefaultAsync();
+
+            RsaSecurityKey securityKey;
+
+            if (key == null)
+            {
+                securityKey = new RsaSecurityKey(RSA.Create(2048))
+                {
+                    KeyId = CryptoRandom.CreateUniqueId(16)
+                };
+
+                key = new MongoKey { Id = "Default", Key = securityKey.KeyId };
+
+                if (securityKey.Rsa != null)
+                {
+                    var parameters = securityKey.Rsa.ExportParameters(includePrivateParameters: true);
+
+                    key.Parameters = MongoKeyParameters.Create(parameters);
+                }
+                else
+                {
+                    key.Parameters = MongoKeyParameters.Create(securityKey.Parameters);
+                }
+
+                try
+                {
+                    await Collection.InsertOneAsync(key);
+
+                    return CreateCredentialsPair(securityKey);
+                }
+                catch (MongoWriteException ex)
+                {
+                    if (ex.WriteError?.Category == ServerErrorCategory.DuplicateKey)
+                    {
+                        key = await Collection.Find(x => x.Id == "Default").FirstOrDefaultAsync();
+                    }
+                    else
+                    {
+                        throw ex;
+                    }
+                }
+            }
+
+            if (key == null)
+            {
+                throw new InvalidOperationException("Cannot read key.");
+            }
+
+            securityKey = new RsaSecurityKey(key.Parameters.ToParameters())
+            {
+                KeyId = key.Key
+            };
+
+            return CreateCredentialsPair(securityKey);
+        }
+
+        private (SecurityKeyInfo[], SigningCredentials) CreateCredentialsPair(RsaSecurityKey securityKey)
+        {
+            cachedKey = new SigningCredentials(securityKey, SecurityAlgorithms.RsaSha256);
+
+            cachedKeyInfo = new[]
+            {
+                new SecurityKeyInfo { Key = cachedKey.Key, SigningAlgorithm = cachedKey.Algorithm }
+            };
+
+            return (cachedKeyInfo, cachedKey);
+        }
+    }
+}
diff --git a/backend/src/Squidex/Areas/IdentityServer/Config/Cert/IdentityCert.crt b/backend/src/Squidex/Areas/IdentityServer/Config/Cert/IdentityCert.crt
deleted file mode 100644
index 1f58f13a9..000000000
--- a/backend/src/Squidex/Areas/IdentityServer/Config/Cert/IdentityCert.crt
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFCzCCAvOgAwIBAgIULb5or4cjujSTMg9dZOFJtUU0h2MwDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKc3F1aWRleC5pbzAeFw0xOTEwMjUxODAwMzJaFw0yOTEw
-MjIxODAwMzJaMBUxEzARBgNVBAMMCnNxdWlkZXguaW8wggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQDkCBwdntYhthsvwj7TobnKplejrvZvkMT79SGx4tXe
-5eFDpuMGqljMUzZoUaaQsy4mRe/4c9bMmMlpRmIPpJfYAYDxGzSm9N0FjUZqGJPq
-kRNTNKqTPeFwl7vdn+MuveLWyOc+mSYWkPWg9WURdN5yNtDi1IUrcj+XsUqH0AQi
-eEiiQJlSUF8NkdvviGv906uOG/59NwpvCsyHwV3dOR2GFHvi2RIg/M+4d8Vz2AVm
-KvXVoQtxySweXRXNKvoAeKdvQ4prHc0oHo57vhW/nDV++WUGZ7LOnpr4OgIyrvM/
-0LFfSIdgJ2rK/+yKNQLJKZbq0DD942PvQapEC9Xfuuqw1S6wHXgf3CzPuoNX4sDI
-2rIw84AjH0gB7IuwC0DVqcbI++Xv6H3HzpD0i1ONaHztmp5tCx9v6dkJ0ctX6vzC
-SwMxdUerB9XELifOF9CqnSjUzOiAuQ9yTE0iqb6jRu5JTGeKTtmFQ6T0YUuqiPip
-H3zblloGKo3mQbVumvfELb0wTs3Ay0jaczjD0aM3fRKav+6b6Qu+tDnlxL/yPde2
-SMxDwIKIH8eCAa3+8OU9VSZ0+2DS/pu1vXdsXqa5EXJJ7Ej/NyQe+nKjOG/TfeYG
-u+GAO5/pJYE4lWq77hZd9ylm21dbs+X4X3uZFOsGb0BCoQADi/QFwexcz+hOmQuX
-BwIDAQABo1MwUTAdBgNVHQ4EFgQUuLxsPj+ueDfckXVeG6aRFM0KVc0wHwYDVR0j
-BBgwFoAUuLxsPj+ueDfckXVeG6aRFM0KVc0wDwYDVR0TAQH/BAUwAwEB/zANBgkq
-hkiG9w0BAQsFAAOCAgEA0ePG4Xp29yWkDHO2Zp6dG/uVy15sEVpG25VlwEuXzdnb
-VDN1++spoTLZT0HWGs9OZtCkXF2wfFL3C/az5sSn40uXy5UzoHtldEjTchSFX2tN
-ulVbSiEUyxp2xEzbELIPaELhecPUyJMKUTHOLfrLaKWFC26KQK+R5E4mdx0nIZ73
-9GZFDA7okfzqkl3CeLhHfkKrPy/dLcz9doBkca4scSmgJcMQvS2sC7wVrcTtfcsh
-cefQ8hMR4vfVQHl0mU7cHUJR1U7sSrXh/pOjrzX/0k/VGO+pQtDVnT8YZXRx+w0S
-4nRz60nUxIDbad/xld71YV6L3rWYy2/7MIbCb71mszc6SdQtV/+lc3yJJdvNmNtc
-xlpirsI1vr3yfPcuYuS8i0dqPlh7Rn+wlrqFNlu6pgpB5uhVCHXfkf3TATGJpyi3
-lN/f98Du6ZDvsIFk6loWJ/SkRAgX4un3mVEeonDMSaWAHwfPdoMXE5ViCgKLPo+B
-HHM5bmZmUk25mgFoiRYx/jnw2Ym+Vsyw6SI0+kQLLoAfP/pP39rWe+MbSIhhDXC6
-5lP5IebfzEI10PAg9UrgSDShAT2E4fFaMx0mRi0dwhRgBJEW/EEjjXd8+QjXPuPF
-GqU6YTf/rcDQB4cT/GaBkUar3qanmBESAabMoabZ0EDVprwrrfbqx9bDsOz4J9k=
------END CERTIFICATE-----
diff --git a/backend/src/Squidex/Areas/IdentityServer/Config/Cert/IdentityCert.key b/backend/src/Squidex/Areas/IdentityServer/Config/Cert/IdentityCert.key
deleted file mode 100644
index 2fd9618e8..000000000
--- a/backend/src/Squidex/Areas/IdentityServer/Config/Cert/IdentityCert.key
+++ /dev/null
@@ -1,52 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDkCBwdntYhthsv
-wj7TobnKplejrvZvkMT79SGx4tXe5eFDpuMGqljMUzZoUaaQsy4mRe/4c9bMmMlp
-RmIPpJfYAYDxGzSm9N0FjUZqGJPqkRNTNKqTPeFwl7vdn+MuveLWyOc+mSYWkPWg
-9WURdN5yNtDi1IUrcj+XsUqH0AQieEiiQJlSUF8NkdvviGv906uOG/59NwpvCsyH
-wV3dOR2GFHvi2RIg/M+4d8Vz2AVmKvXVoQtxySweXRXNKvoAeKdvQ4prHc0oHo57
-vhW/nDV++WUGZ7LOnpr4OgIyrvM/0LFfSIdgJ2rK/+yKNQLJKZbq0DD942PvQapE
-C9Xfuuqw1S6wHXgf3CzPuoNX4sDI2rIw84AjH0gB7IuwC0DVqcbI++Xv6H3HzpD0
-i1ONaHztmp5tCx9v6dkJ0ctX6vzCSwMxdUerB9XELifOF9CqnSjUzOiAuQ9yTE0i
-qb6jRu5JTGeKTtmFQ6T0YUuqiPipH3zblloGKo3mQbVumvfELb0wTs3Ay0jaczjD
-0aM3fRKav+6b6Qu+tDnlxL/yPde2SMxDwIKIH8eCAa3+8OU9VSZ0+2DS/pu1vXds
-Xqa5EXJJ7Ej/NyQe+nKjOG/TfeYGu+GAO5/pJYE4lWq77hZd9ylm21dbs+X4X3uZ
-FOsGb0BCoQADi/QFwexcz+hOmQuXBwIDAQABAoICAEQsLIOqfegcMmqHzxKkMhBk
-xKS55REbndiZw5YT886suTjphsvyV5PWeNidOIfgGbb1h7WmpBwMvYJMuXplwcOh
-R3RNpuMXJ5DGWLvVVzt0XeutPiXBBUoNAuxSJbBOsqd17rRnQtzSP6z8UFf0saBB
-xRdbY+jGQj7OkTKjPOk1PrnLSEs0ngZHihJFncuH4a0dr2qt7t+dweIALFi7/5ib
-PSJntSTJkCxdGln0xkByLYbNm8dL1nXJbIAnDhDgAWahMZuukCwjXoOeI5BiWhf4
-5XwRuoJNJpV5eji+1xhIAw8yds6HWkUQWB5FlOyhE25mCY+N0M2xuv6W7zzw+8KL
-gGeF44++Lo4cH7mimfsqofCMeky6NaRSwziEBvwvOf4PEBVeB4t5BhWCTWuhrmBi
-fShFRY1EcdOe2nTnDV9kDKBAta7YKA1c37++OtQPdcMy4qAIUe7Yk5h3GkcnBx5+
-+wwTa+QJAX36iT9+zoxfq02mHTbPD0fkqSmdw4PM+6jkM6xJqXeSU9U4nPerIYxJ
-3Pc2LBAhQ52JQNAHegEVMoL3hFElVohnXCsgAQC4mV5/f8hBfI2gqNZqDjBBn09a
-NfDTMMfL2kCRBdfHtl+FELQ7vYuQ/R8OvU3M48NtFTcbdUfXn9zbGUhugyUr6E62
-6/Ck8k87EXn1nwwpxwpBAoIBAQD+buYwZsvbABjs3kYVNcNC6sWxYAbt9O9gSTw2
-apcKdHEFBCFVjerDl1kFQGLcrAcHBYkcViCpWrIGQiSMQe90Evsgkl61Txtm65KY
-fjjiarYuCPfNU3cMhs7xnGSK7ydGgOHLbjUpOgrJQxVMXQpLhp0DrOGZ0txWuPYO
-bDhb3OqZawEQqcc8GYA32YU/qUK7HitqrLlNo+CQIO4UFbZyh9f99pHayWfa0H/V
-SJ7iUwZKNjRbwd9n0RoxmhADvr9Tca3XFvFsjpFxmuR4a141SVqxy/52ciPA5/e8
-ptRhoEx+jK2pEK16NC7+ut3QS4DFh1T0VkwODE+ycZDwVmNnAoIBAQDlb5cLK58c
-VbKtvXQh7Xaa1cNRI97UHuS1HAj9BWIysITRoRyxhn5Y0HgY2E4i5ZVIR0IAZskk
-x5A3vyPNSi1AA5XCgHB6UCDoMvXr+HSnB05eMwbnIrQL4mEC37/Y9cwI/ZM5D8fG
-aP3zPllDet/8F2ohEfkrggvCztCnPKxO5cZRYpXz9S0dVnyF4tTS8qJ9L9vQqBTk
-gV2jIL5p4n//Z2wcw1Oaigc1KjaM+5yPJs34Yo7WAaJrxvjBIWD4snG2eH+MYEpN
-1ATghut5KZuIVEPzMaxuUk4FdsckunCoCqK/nfbmIot+b35eG7pODxOvnR2JRTb5
-NOaYd041kYthAoIBAQDmVftqIgW3E1V9SpRjqzJEKEokk+xyC+WRY3txP/nQ6y1N
-/zk2PK4lt6RNjsZxRANwpeBEmOwkpQi5hbOUjjR6/pv+FsRKm30RJX6nMs3InBal
-glTjuwXxfzFlpdGXvX3u48qF4hWaZwNQxLxJT4l8ajdHFoF+Qlha4kNPN0WmVE7F
-6QsjzK+jhup+pRtuUIsq3tsrTYbL9OndURJ3eFidQsGVFl1glijA/TRdH8tG1SbC
-lGO+FbtsPu7ZrMGGwm5u2mEocYrKXh7pm/Ht2jWFRA0pHKYXEKmxf87VKKroXrgh
-cLXecky6bveEgCNC6LeBG00bjex4Y0jbINi3211NAoIBAC9ASRIi3LTgLVk8sEMg
-fZGrvnricUysRBvMd0lsp2mbEu99R8SD11eBL4qmWYk0UQc+ragZgwlRFDF26u+n
-fCQ32Mri2sdF41EO1bjQRW30wj4CMkS9z+i2qZYG8KLFFE0xs/VHe7QwAUTsLUQJ
-dUGcrN28rt03/iYTo8Mdarsg9TPjotBISQ9GtYR5T61WDQLNLW8OfqcEwX0MDEsQ
-O54k9Y4C6B/ml09qrytf0kFlE3w5CAOo+INLygU0U51EWsjijhoh5ouaw5peDva4
-C/EKsafPLhzWVH0plh/JSdRBxHzEEooYyTOz0ImfGkJjNoGvUNrpZ0XxkCAMSg4c
-OGECggEBAPlRKngkZoGz10uvloDe8djqpLlR4faNsbuzxeFmGteLl+oUQvCwwGPZ
-/SXpXBAVk9uGzrOpO4irwnBc+Pnx2StwgCC+NpItf37+XmraAarLWj8LQQctwBF3
-aq1pbPgp4pfSeVT+WKsKqFCzKHDsehOubLg9F5GPrBTfiskwM2U3CNLQy+29PQKM
-FpDHCF37JF2135hufza+oLL6VoXeSi6Q+oh8I3LCS+vJ05u5+HoAv9YC51RGBhYy
-tgYUimqzMRPWfTNkfH+LTYLmzoPvaStkbvIasiDZB/s9ejdDl6MEFpnte1VSK3jC
-4VvGnkGGbUe3PWfxA+yBJqdyprlXbaY=
------END PRIVATE KEY-----
diff --git a/backend/src/Squidex/Areas/IdentityServer/Config/Cert/IdentityCert.pfx b/backend/src/Squidex/Areas/IdentityServer/Config/Cert/IdentityCert.pfx
deleted file mode 100644
index b3032a3e2a9c1c3a5a761122ffa452f6e046a8da..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 5389
zcmY+Gbx;%l*RK~?V(D&S0qI&wQW~VC8wqIyq`MYaSZR=4I%P@ehLx65knS!iky7IG
zo%!y4@BQP<nR$M5&YZu_JP;@a2ptUr0wtfq0&&4qU^fJ4*l2}N@;)Gxyz3usgFtc5
z{u^NxLUA|#p%rvAz`r*8-vkXpkA?fc8}QMvAcR1iTfm!`YFalebaWg*I28Ajdc7WO
zmHWYe@7Ba?rE&D7w#R1{p(v{^P&dz4M~5fGL<#NRBtS6cw7YA`%?EyLQoZeTOgDR#
zb0PdbMUv0%WI_*?v=azuSQ5RF6x20qCxqnj+3M~>;Kr^>F%2bOv$Ra-)`&#qq{g~B
znx+>Xy1n{Qdzzfm;%D6B`@S^LW>6=tK@`3wX1!+h)W-~A-98Av6HC{(05W2;m$Z7u
zVSV+9dXwkfYH8HNBGW!w`&2qj1ky(~u5Y%t$u2PuLO25tM&+&vvWSBsJraw$;S^4G
z@kc7|#ys_B&Lb8x=I6xzyEW3r7cvlHq0+gae8T80*+}z!CZWih!Wds6U0DXt==*;9
ziZyqjj-GW4?Qt7IWI-xR-Qh`=&aJ)-kdxf~!{TW<ESy4X0=-yhKnU$^`KOf!8(}b(
zA-d_SxEP8QZnjX8@SBEcyG|tzD?G(NX=n%(gO*#j1>1ax)`s`v1mBev#OLZW82hlN
z%%;!kk4#X@f+~U8U)TP~c{f&H{B8@$xmblapPZUE**(VO1zqw(mMldD7Xhjx0wcX)
zu8D0H==l2c^%<KJI|t!Mooykg>0ce}q*;{M;w@LrjG+Vj>Z*gj1`Zk<a^%CX$-+Uj
zqFm0>-(#ngA-u<xn{-jUT<Ji-g)eCR{l?%Zh#{M^F<C;ctK_u!oBrPwlJh_$N~}zw
z6YL0`6B;1j8T;IN*+|(G@t7}qheTQ2zF6jBuh%&ZRil`6znRc1s=2Lu*CYabA!7`F
zC2a+5JQJ)D7QB%d7wo&n*_atnCILJwLGHp(9O4dNUE3TK;NMY<#sxYqM$YgsLcyJZ
zBiVu~;!2fWH9E}P(sfL>qt)Gsjhvf%MyR|L*A1pnaYn-j@4A*!(kGrtrWG18M`~4q
zi0Ej;H#Ra)L=Pe>AJt{{I6Iz0bv$6ydU%I1;&D@7R=Rb69{X!=y*w(*<?YEG*FTN-
z`k{v`HCbL4`w+7Pp*4>d(}}BX9DMMSwBf%_r0_I|q}tARogn)38(J#Rlk}$@P6tMJ
zOf}1pf~nvtv;jH9o+h$<ss;vsMTBU!c(2OeZ<Xe#FQbN{nxkc-78iIoKk>;s8tlhQ
z17FstL>LZZwK;Srz8gtVTMV~W>R56d9~*xZ-p%{zk{O&5Y8Pn1J-tZx3YPSZ?L=|u
zg%S<KbcMImv6{T4;>ovBfp)G^j>SYLI8P$AOntdDf`F+&qTvpnO_Q)tU)GhbTOpuH
z${WD>i<QEA3%)al=g5Le@My<oq_@BM?y>qS=hjbsY3Nj1?K&t$q=#TUfcKz5f6&Ew
zWDFygoSpH8cz<_nKNFi#^UG|*;OcQCu3btDGF>yCT`JfU!_rG;8K-W*r{vdzxkjpx
zAg|6r<D|oHN7qTol{QbIbZNs2mp8)6Q4){#f5Mwz1IX#Xl>mW*CHl%^G(F6}M7DY<
zw}Rmf5=-g1BjslImNSo-_4c@5nP~RX-_Lw*2?Y1NR+x>kx2FzCY@9lgr=-s@0WmD&
zU4D8XRT_1BuR-MJJ?KHWsuQ}xsv3ao*aBT#>nDUN95vBI)SEtQlAa_%k!Sz5O*ZB*
z_WZ_yy{rm-Le+}B_vpk7GYyi=s>MB$A-q@HKCy4j*&4`_DdOsJh?v}Pf2|a8yG$Hq
zHpK9V1^0T}j!00&xVK|_+m-3XdafZW<E}N(!M-@jiDvsM_^v;8>ZSWtPZ{=E#z_o_
zKKZz!$W?@7TY@kLLUB@)sFKW@_2@`90cIWu`|zVYEr&{}fiUZ0W8VW0Y*(Jzh5K{g
z)iI5uAUw)YnvHsth|4GL<2yTh#aYgvZor;)_d$-{P=xEhr+C2AMw#wT2C<%6Tpi7s
zP7IbiJ<MX2TFi1pkeszs9vH-~iv(l!Mk%=lSDz!RU>Wj;JY;U3LhyQYQ~ALt(>`wk
z3XC1`fFu6A1#Q2tPiRmAv|;QtP;WkxE5I<R$-=r6V;r6{NH+iMf#CZP1oZ}sAY_8d
zorZ!w;yY1rWkG@G`R@`EsZLs(d*t=#ObM$Rf0`H}^Vqe6r&VbowikU1;9FA=V*tqi
z73FsH=G*M)IgJSCq@%r|zxMcd8+08K2|K9Ac%~vcY5Pcyq^XUVjwg(>Wz3^5COB8o
zAZYZ2XJMlW9u(5HrXgIGLK9sBuzdD)4u_${9#{$|8otpT#>i55TFcz&uc~-BzVnTp
z@^U7vV9azf*`|%>cedzTmGjLlpJ$%=k)>~Xj_Gzqt7`RF2ZHn8wb<*)e?gUpx5g;6
zQ=b!Xmb=s@^E7A_oXaV$qdZ$Yht_&j-w?*n?_qzxh@Mzky^dc$)0O4_!RoZi2HXia
zOkRYGlL*x#x=i~_M0&Ki$r;)4S*E`AQ&(bfY$l3%e*PkS-TcdY#F100!oYKE=ovF<
zUH@?q!aZ1$=C&E1{ce!VGP%p5eB=ZgzdM?t*4aAyFzTMPTVSJ_H%DJJf#mgPqw}vU
zXI>TJ7j)sBB64&XGN+!mP1C!inoc?YT)sW~B_<r<0_RgG&sh(YyR%}0(&c?Br2p}&
zUlhPw>K7R9)8S9S6&p!hFVnT!_kdQ*^w>Wl<rEQk5e@6NuCo4giq}$ncgT8gk#+2g
zzS9X*KAd}2PIezh_sJJrt*gc)`rM&6R~r_dBojUjL{+LBRQ)KXxrvUaF68$RX6%r9
zRMBnpW6xr-*Y5J{XJVaA7}z}<+rBFoQTzcK(Bgis8@~LN;ENAdsL`y<jZXk*AU2Z|
zzR28{CX|%PD(lDHUu?gYuu*$IhFw3_W!?H+cq3o(NqdL;6o%@O7mLTy$F^ryoEdX)
zjOW1u4)b&Oq{B>}&NnJdnxywyqmQn&<>^Sm9u@j3=5>f&t&#g&do5vh{)+}bZn4BP
z>z-lE<-5o>B4(nt)20y#Vhq(1Bb~^fg(fpE^*r?5IBUh#)LXB<@%S#7p<hS!QW0In
z15V1MJ8|R~8xsahn^gsXgySC?{TRf15{)JQ22t(3JrfL1hsELYmp=Lz`E!?ZScgtT
z_DGgDVI7;2(rKrGU1GUYPKR4NpTtjQ;L@U%Tm8jZ=>ArgjzX1rMPXHUeY=%;jyx46
zx{L~>qGz{?ZwP*QguNP8AdpVpzm~AA`%?EsxR>4n(ct&AUaif5RTZEjEEY6*@Z@Ll
z_L!Ud5_($T;5ByV`O<l{UBxB6QvQi3#SdCkL@>1cA*qoFxW{)F)$$_PNAF0;KhVWU
zY<C`$PglgyGM<m*aGjvm(|Tk7o+a1mmheEy&O&>seJ*MDvGsuWtl3iB&C4GDu-E>%
z(#P~cnVgUPr(05<g8EB7-aiLS+CE%4#dk%S4|zuo%#^tmR=4j7wx97R{b5@Fiqc|a
zqG?|fn|-8&Ed^0RNd)j>YaQlp0>At&Xw8XTqK!*8t8}?yr}uw2{i}+@kx{i)gX#LR
zAKALDCGq(+VJsDIx3VwDn!;oNY@o%?Ix&Kr3B1%y>=Huk#&igQvfC}_N~Vk&YIUkw
z%KYc0w2*23?sacZe)t;fdsP{{bE32AM+|q*e~Nz~so{i|Nb-SCKP7*zkNUyv_P{pL
zAThGA<RB(00cM)9oSTUYNmpKe2Z4f6|Bu)fLO~5cD5&-yM*gdEEWH1txwvTP|3bHa
z(E0zfUyT3Qulc(Us^2fz6#iqs|Hf6E(KjMx@H3bbMDJDSnWQ&$u$Eav-F*~ZT49R}
zrRr{hVWa7=*Mrgw4TZ;nEL$WKl;iJzmy3W`0+A%r!~%?YIC9v%QMNWe?}dh>kJo?+
zBNiKYV)(`#6$s2ka<r$86nShd(p0UQtbVeZ`JN*D5P{*&A!5_mkJvgbl%k_XL%Ncd
zNjSN-p}fBmw*Fn5@)ZYMu1rPtD0o(c_>9KRz%13B`ASEieRQZMTedF7(>Yt=TV`}X
zyGpl7o=H{d_i^EUPF@Hued^ZT+koY_cOQ~x7jj^Uq6S-heN?G4T0llPJFV6Ap}NUs
z0ANnCft8LRGGJ@EIJy7%IoBkeF|i+A!kPO42p{j(-1gJq`tLvm0rt)sOyrUenOeu!
zU8U&xg|Au?49YHJ1gK#`$Jblg$J>jCGYklq?_QFSaPvI!(*SoRvCLc}Q!{=03x8;n
z8VSWPFco?$*~c>}7n!f-<<2hp(zx(jTDUb&K4VZk&dy$Lmf0C}=Z70i<C&Vzfq{};
z{U#Lr0Me6=a}D-BCg?3Asneu<-uj;CJTz!NtjX4tW*qaXM%N&KvM2qCawULaFG!b5
zMK8~MS5K8&HM*}Kae+TP1%L$;tGO@(7HD4lEkD)T_|mjyYPn-cz^6=1^-O(-{k;t2
zo(!<LTu(-|_(#=GZIvh1o8SM}6K9lZeh0j3Nk&9RCSd1%1aim055GVC%$?6S|6vJ(
zK03?9VNbcB#pejew~)*-hvnHb8CCR75FR!O{W^z_{Vg9`i%Wfm=UhMPC1u=5le1qe
z!SCL(xvdz=t-9y^W7}BH*b>#G?}*6u9^b#RI>{bf==c~bC+cj4;_*((ml(HWzcM4o
zLG|eXVhW0Sbb2ZW_`Sraw)bgTdY|%IgTh76_WAi&#@F6h?*O}>kgEj`URrc^@>Xlj
z^)H?sNnHHuZDJE}j}!zpC-rImOn8bU`KlI-tj#c_V%n=Nz+p-2r8>1KRo53hKk5==
zBCA616@+(p!3-TlL=Wz_Zu=KO*c?DseiyOsY<!c@s-O9Sd4CM{2&$4_7tAT-n`+(l
zodR++yx3Cqe+pBp{;BR$zDV`a(>3VgTvsG@RO7g)hTPBMzrkq0pmyDSu2+q&B%Ed8
zKbwT>b^mce<A4BIC|X$5`P=pO(r6A8Dvb{|U=I$Gz+0w#owGP8rfKHjK>I}L(W@(M
zm*2C?t9-^{9cGjRVA0E#+Y&kq0n~5=eCLmnHB7O6*(PEZ%~-CZZI{2v96W&f`^Q(8
z6f}#*<PiMBfZMy&9Z(}f*NZRqVvW3{*gbc|bR6w=Cd0|JmuXM7=wW83LO9mYzPORJ
zV1@jZa4pi-oc7f@LNyBa1u?wzsY+JTMETl%>~4?|SgU9>F0lViJ#L}TH2e_e{j(uv
zq;2n&D!07Vym66lVq+*>I1QR-k}q82i4v1@tER2_#C!o)lFZB{Wk^+XAU_yfwIPPP
z(tQ<;Zd0gzM&e<GO3g!0RaV&j9%oq-AK_xYr0liS4q$3a?iQ@CG*>Y&azxsHDRVHg
z9aD;bPC;}vs!l0Qpqq*qF?`!Oe~o1v2N9V_9InE*$<Q^(;MaR~dDN2|m?uh{@S>pW
zDP2&eK*?8;J6(yu$LJ!C@j}Odw5@|Py~w7_oA=Vi7D==amDbJGoSZ52hZjA^*5mp8
zs`_IuMT1BXsn^ff<C;@bU&~T-D+cZ(_ImJAG{Qw^de)Y16_N+suLkpM79N+L8g_#D
zrBzRb9Id4&y6TfQSw;BM91!}2$>P(rx}jT7d6>S6B$Y!dqzQlfz<LJF6+<1+bbmcw
z9lv2n0FMACZ)wY3v~39evz1u!U-C|ZC-1HRf4gMnGrdSQa#gQ)sCbvg5~1j3$6Zr&
zdpCUu*h-sa66`3jB*uK;A_k;mlaKlvBOSe*xL;wV(HObKwcVR}l{Dpk`67H1zy9XB
z=Q8xS?;~b_B8g_Q_~`2dfxVVZw&c?eH>`Q^M}mQYb4Y?!i5H0vO+gXnkyT-bM%-LZ
z?&siHlc;Zflq5I_-dbg(bPRdEv~||QqlM6QhAGas#5|(|MUOK#_FOCDR6@Z{xg(&6
zN!=->WR~T<A}(?Vd}5X63uNaC+@hT5RP>MhefOvAZQQBvy;ilfREgN`WpQ(A+<GPa
zABi6K1uql8#VWj*vAm}U#EPLTzA#@l6_I}J=(|77_8&Cqv)hp3`EPRazBgbZ!HLDH
z57mV7%5~Eml!0>2z0yeD5#d^=cYEF+k>&3=nVmCXFv!WGeM2|AQvoK<ltp?VxS(&z
zcQdHkgIU?t&MRTZ=!vD*PQPXk%g(eA0+%uzN|Uh)?NSd7>piEOzt&xa%vL7J_HO5R
zu-%w>XY`VfJH2ZUD*i2VSVhA;z4V@nrRhs!4ilQLjF0FnKRb6jQ5<auFSCRv+X9jC
zj!p-)P15Z9(F%{w<5hsAbnIW1)uaZxw+E7=q$heku9fLCkdaQ2p_!c8Sb$ge9dRQn
z3$`T2;Ul*`<2n~hix`zcDI-Skvm`1pIo`~4wXK{eoXfcPbQVd(j%^U`*5yXEis2-H
zZJsM}^{idvWjJHsL9_?1N2mgSOR=qLy&E+qxokcBpop&SCG@OThzW__w*L~|L?~K{
zC96b5xC(^N!`{%tQ7P_DgJAH-?|;>=oBb>v<v5wBUemE4$!N80th;N|@^n&honk!3
z7UEXP*q9y#&<f)FjUZfc(xkLp!ZOc?40T?5(mYgjV0~EZ79>Tu{8}$ysBzQa@kppz
zB*Rf?9>d~}{mMPT?28^0Tdvi-^ER(tcELZC*`Ec=G>N=~&&!D800>!KG!|i>64_7t
zcm{INN%?Tc+;<pzLpeQclqV%1^BEkX?*@M;68JX2`mjq82Kp+f0;e;LHXaS2%UbfX
z+ACya7G3`SqYJo>GX$pHj0lK{#33FVQGk;lYHeqTAR^K3(97hOLW7&BC-1AP4K42k
zeVqv%LpK&MXc_<DctPJEw!SGT-(VkyFFsxiR6J)C4+k*WUhWVC<>9?DM@^$n)(!-F
zshw6N>wcxq%lhu^_v18)rivbCwJ#JiprwSG7HbG6nwu)6o-%t)wK!RI6uNpQY?%*n
zBypV}aF=WaSRpL`*Umr`0+c}VMPvA4XFuuYvGs@v!ns<ylfe!M5r8m3Kv<aEgc#_w
pm;fNT35LD_|G_fFc32^VwVMJ!v<un*;zUetUbo16x%`i%{SUpVIOG5T

diff --git a/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs b/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
index 8127fbe1a..478ef3a3a 100644
--- a/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
+++ b/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
@@ -6,7 +6,6 @@
 // ==========================================================================
 
 using System.Collections.Generic;
-using System.Security.Cryptography.X509Certificates;
 using IdentityModel;
 using IdentityServer4.Models;
 using IdentityServer4.Stores;
@@ -28,21 +27,6 @@ namespace Squidex.Areas.IdentityServer.Config
     {
         public static void AddSquidexIdentityServer(this IServiceCollection services)
         {
-            X509Certificate2 certificate;
-
-            var assembly = typeof(IdentityServerServices).Assembly;
-
-            using (var certificateStream = assembly.GetManifestResourceStream("Squidex.Areas.IdentityServer.Config.Cert.IdentityCert.pfx"))
-            {
-                var certData = new byte[certificateStream!.Length];
-
-                certificateStream.Read(certData, 0, certData.Length);
-                certificate = new X509Certificate2(certData, "password",
-                    X509KeyStorageFlags.MachineKeySet |
-                    X509KeyStorageFlags.PersistKeySet |
-                    X509KeyStorageFlags.Exportable);
-            }
-
             services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(s =>
             {
                 return new ConfigureOptions<KeyManagementOptions>(options =>
@@ -77,8 +61,7 @@ namespace Squidex.Areas.IdentityServer.Config
                 })
                 .AddAspNetIdentity<IdentityUser>()
                 .AddInMemoryApiResources(GetApiResources())
-                .AddInMemoryIdentityResources(GetIdentityResources())
-                .AddSigningCredential(certificate);
+                .AddInMemoryIdentityResources(GetIdentityResources());
         }
 
         private static IEnumerable<ApiResource> GetApiResources()
diff --git a/backend/src/Squidex/Config/Domain/StoreServices.cs b/backend/src/Squidex/Config/Domain/StoreServices.cs
index 8fe6c1079..03f5cb54f 100644
--- a/backend/src/Squidex/Config/Domain/StoreServices.cs
+++ b/backend/src/Squidex/Config/Domain/StoreServices.cs
@@ -102,6 +102,9 @@ namespace Squidex.Config.Domain
                     services.AddSingletonAs<MongoUserStore>()
                         .As<IUserStore<IdentityUser>>().As<IUserFactory>();
 
+                    services.AddSingletonAs<MongoKeyStore>()
+                        .As<ISigningCredentialStore>().As<IValidationKeysStore>();
+
                     services.AddSingletonAs<MongoAssetRepository>()
                         .As<IAssetRepository>().As<ISnapshotStore<AssetState, Guid>>();
 
diff --git a/backend/src/Squidex/Squidex.csproj b/backend/src/Squidex/Squidex.csproj
index 3351d0478..3cf8eb9f0 100644
--- a/backend/src/Squidex/Squidex.csproj
+++ b/backend/src/Squidex/Squidex.csproj
@@ -85,7 +85,6 @@
 
   <ItemGroup>
     <EmbeddedResource Include="Areas\Api\Controllers\Users\Assets\Avatar.png" />
-    <EmbeddedResource Include="Areas\IdentityServer\Config\Cert\IdentityCert.pfx" />
     <EmbeddedResource Include="Docs\schemabody.md" />
     <EmbeddedResource Include="Docs\schemaquery.md" />
     <EmbeddedResource Include="Docs\security.md" />
@@ -107,7 +106,6 @@
 
   <ItemGroup>
     <None Remove="Areas\Api\Controllers\Users\Assets\Avatar.png" />
-    <None Remove="Areas\IdentityServer\Config\Cert\IdentityCert.pfx" />
     <None Remove="Docs\schemabody.md" />
     <None Remove="Docs\schemaquery.md" />
     <None Remove="Docs\security.md" />