I have site in Azure Websites (not Hosted Service) and I need processing .pfx certificates with private key there.
var x509Certificate2 = new X509Certificate2(certificate, password);
But I was faced with follow exception:
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
In article http://blog.tylerdoerksen.com/2013/08/23/pfx-certificate-files-and-windows-azure-websites/ I have found that it happens because by default the system uses a local directory of user to store the key. But Azure Websites have no local user profile directory. In the same article author propose to use X509KeyStorageFlags.MachineKeySet flag.
var x509Certificate2 = new X509Certificate2(certificate, password, X509KeyStorageFlags.MachineKeySet);
But now I have other exception:
System.Security.Cryptography.CryptographicException: Access denied.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
Can anybody help me to understand why it happens and how to fix it?
I guess you found a workaround, but if others are struggling with this, I found the answer to this in another SO question:
The magic is specifying the X509KeyStorageFlags storage flags. Example:
var myCertificae = new X509Certificate2(
certificateData,
securePasswordString,
X509KeyStorageFlags.MachineKeySet |
X509KeyStorageFlags.PersistKeySet |
X509KeyStorageFlags.Exportable);
Azure Websites now has native support for installing certificates to the certificate store. Have you given that a shot?
Details here: http://azure.microsoft.com/blog/2014/10/27/using-certificates-in-azure-websites-applications/
Azure Websites run in a shared environment. I am assuming that the constructor for the certificate is attempting to create some temporary information on the instance and it does not have permission to.
You may have to upgrade to a hosted service in order to run in an elevated context and perform this work.
Also, have you validated that the password is correct? If it doesn't require a password, you at least have to pass string.Empty to the constructor. Passing in a NULL value would also cause this exception.
I had exactly the same problem, and struggled many hours for fixing it. In the article that you mention the last stack call is to the function LoadCertFromFile, but in your (and my) case it is LoadCertFromBlob.
So I looked for LoadCertFromBlob and found this:
Why does X509Certificate2 sometimes fail to create from a blob?
The solution was to go in IIS and change the application pool identity from "ApplicationPoolIdentity" to "LocalService", so that the certificate is loaded in right local folder.
In Azure Websites / Web App / Mobile App - you have to use App Service Plan that allwos you to import SSL certificate - so it shoud not be a Free or Shared. You can import not only SSL certificate, but also for an example code signing cerificate and use it in signtool or from PowerShell.
I used this method in https://vmplace.eu/
If you try to use a Free or Shared plan you receive error - so in Azure in these Plans there is other version of .NET framework.
You can refer to this project also: https://github.com/onovotny/SignService
mvpbuzz
来源:https://stackoverflow.com/questions/18959418/site-in-azure-websites-fails-processing-of-x509certificate2