Site in Azure Websites fails processing of X509Certificate2

Question

I have site in Azure Websites (not Hosted Service) and I need processing .pfx certificates with private key there.

var x509Certificate2 = new X509Certificat         


        

Answer 1

I solved this by following the instructions from the official documentation. Not sure if this was an option before, but now it is, and it was easy to use / implement.

1. First I uploaded the .pfx certificate to my Azure App Service and entered the password when asked to enter it. Copied the thumbprint.

2. Then I ran the following command from inside Azure Console (I only added a single thumbprint). This is important as it enables your app to access the cert:

az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_LOAD_CERTIFICATES=<comma-separated-certificate-thumbprints>

3. I used the following method to load the previously uploaded .pfx certificate into my app:

public X509Certificate2 GetAzureCertificate(string thumbprint, bool validOnly)
{
    using (var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
    {
        certStore.Open(OpenFlags.ReadOnly);

        var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, validOnly);
        var cert = certCollection.OfType<X509Certificate2>().FirstOrDefault();

        if (cert == null)
        {
            throw new Exception($"Cert not found. Total cert count : {certStore.Certificates.Count}.");
        }

        return cert;
    }
}

Answer 2

Azure Websites now has native support for installing certificates to the certificate store. Have you given that a shot?

Details here: http://azure.microsoft.com/blog/2014/10/27/using-certificates-in-azure-websites-applications/

Answer 3

I had exactly the same problem, and struggled many hours for fixing it. In the article that you mention the last stack call is to the function LoadCertFromFile, but in your (and my) case it is LoadCertFromBlob.

So I looked for LoadCertFromBlob and found this:

Why does X509Certificate2 sometimes fail to create from a blob?

The solution was to go in IIS and change the application pool identity from "ApplicationPoolIdentity" to "LocalService", so that the certificate is loaded in right local folder.

Answer 4

In Azure Websites / Web App / Mobile App - you have to use App Service Plan that allwos you to import SSL certificate - so it shoud not be a Free or Shared. You can import not only SSL certificate, but also for an example code signing cerificate and use it in signtool or from PowerShell.

I used this method in https://vmplace.eu/

If you try to use a Free or Shared plan you receive error - so in Azure in these Plans there is other version of .NET framework.

You can refer to this project also: https://github.com/onovotny/SignService

mvpbuzz

Answer 5

I guess you found a workaround, but if others are struggling with this, I found the answer to this in another SO question:

How can constructing an X509Certificate2 from a PKCS#12 byte array throw CryptographicException("The system cannot find the file specified.")?

The magic is specifying the X509KeyStorageFlags storage flags. Example:

var myCertificae = new X509Certificate2(
    certificateData,
    securePasswordString,
    X509KeyStorageFlags.MachineKeySet | 
    X509KeyStorageFlags.PersistKeySet | 
    X509KeyStorageFlags.Exportable);

Answer 6

Azure Websites run in a shared environment. I am assuming that the constructor for the certificate is attempting to create some temporary information on the instance and it does not have permission to.

You may have to upgrade to a hosted service in order to run in an elevated context and perform this work.

Also, have you validated that the password is correct? If it doesn't require a password, you at least have to pass string.Empty to the constructor. Passing in a NULL value would also cause this exception.