The Identity Server 4 documentation (here http://docs.identityserver.io/en/latest/topics/crypto.html?highlight=data%20protection ) discusses signing keys and validation keys. I know that the signing key is configured using
AddSigningCredential(<X509Certificate2>)
and there are two APIs for validation keys
AddValidationKey(<X509Certificate2>)
AddValidationKeys(<Microsoft.IdentityModel.Tokens.AsymmetricSecurityKey[]>)
The document talks about signing key rollover and adding multiple validation keys to the discovery document. Questions:
- When do you use AddValidationKey with X509Certificate2? Do you need to do this even though you are using AddSigningCredential?
- What does "you request/create new key material" refer to? Is this a new certificate? Or is this a Microsoft data protection key?
- What is an AsymmetricSecurityKey? Is there a method to create from an X509Certificate2?
- We are using cookie authentication - are the ValidationKeys the same as the keys stored PersistKeysToAzureBlobStorage in Net Core 2.0? (https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-2.1&tabs=aspnetcore2x)