I'm putting up a staging environment in an Azure App Service. That sits under the Free Tier, where you cannot upload custom SSL certificates. In order to test my ASP.NET Core application setup, and specifically if it can correctly load a certificate from store, I'd like to try that without having to satisfy all requirements for a trusted certificate (change tier, get domain, get certificate, ...).
I'm aware about Let's Encrypt, but that would still force me to switch tier in order to add a certificate to Azure app service. Plus, I'm not sure you can create a certificate for a domain some-site.azurewebsites.net (I've read something somewhere against using anything related to azurewebsites.net for a custom certificate), so maybe that would also need a custom domain anyway.
I was wondering if there's a way to access, from application code, the default wildcard certificate that MS owns for *.azurewebsites.net. So something like grabbing MS Azure certificate thumbprint, storing it in WEBSITE_LOAD_CERTIFICATES app setting, then load it from store as done here in chapter 3. Access from app".
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
"insert-here-thumbprint-of-azure-default-cert",
false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
X509Certificate2 cert = certCollection[0];
// Use certificate
Console.WriteLine(cert.FriendlyName);
}
certStore.Close();
Is this doable? TA.
Apparently, another SO thread has the answer. The gist of it is:
You will not be able to access this certificate programmatically in your WebApp as this certificate is not really installed on the Azure WebApp.
Not sure if this should be closed as duplicate.
Related
I am working on Azure Functions App on Consumption Plan. The Func App required to load a specific signed certificate.
In local machine I setup the certificate as personal certificate and everything works fine.
After publishing on azure, I am getting this error:
There are 0 certificates with the subject name cert.name in LocalMachine, MyUse scripts/certificates/ to generate this
Nothing helpful on SO or even in Azure Func documentation on how to use certificate with azure functions.
Anyone has experience with that?
I got it and it's pretty straight forward.
First go to platform features under your Function App and you should find SSL as shown below.
Then you can add a public, private or SSL certificate based on your needs. In my case I want to add a private Certificate which i already exported and have it's private key.
After uploading your certificate, go to your app settings and add this key/value:
WEBSITE_LOAD_CERTIFICATES: "Your Cert Thumbprint"
You should be able to load the certificate using this Thumbprint like this:
using System;
using System.Security.Cryptography.X509Certificates;
...
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
// Replace below with your certificate's thumbprint
"000000000000000000000000000000000000000",
false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
X509Certificate2 cert = certCollection[0];
// Use certificate
Console.WriteLine(cert.FriendlyName);
}
certStore.Close();
...
I've seen both this and this — same problem, different question.
I'm trying to connect my Windows 8.1 Store app to an ASP.NET Web API web service, secured over HTTPS using a self-signed certificate. It's a proof-of-concept application that will end up on < 5 different machines and seen only internally, so I was planning to just install the certificate as trusted on each of the target machines.
When I try this on my development setup, both HttpClient APIs fail to establish the trust relationship when calling the service.
Windows.Web.Http.HttpClient exception: "The certificate authority is invalid or incorrect"
System.Net.Http.HttpClient exception: "The remote certificate is invalid according to the validation procedure."
My self-signed certificate (public-key-only .cer version) is installed in both the "User" and "Local Machine" Trusted Root Certification Authorities on the client. I'm really surprised that this isn't enough to get WinRT to trust it. Is there something I'm missing, or is there just no way to set up the trust relationship for a self-signed SSL certificate that will make HttpClient happy?
Details on my setup:
ASP.NET Web API
Azure web role running in Azure emulator
Cert issuer: 127.0.0.1
Cert subject: 127.0.0.1
Cert key: 2048-bit
Windows 8.1 Store application
Certificate (.cer file with public key only) installed in User\Trusted Root Certification Authorities
Certificate (.cer file with public key only) installed in Local Machine\Trusted Root Certification Authorities
Certificate (.cer file with public key only) added to Windows Store app manifest under "CA"
I am not asking for a workaround to configure HttpClient to accept self-signed or invalid certificates in general — I just want to configure a trust relationship with THIS one. Is this possible?
You should be able to find out what is the problem with the certificate by doing a request like this:
// using Windows.Web.Http;
private async void Foo()
{
HttpRequestMessage request = null;
try
{
request = new HttpRequestMessage(
HttpMethod.Get,
new Uri("https://localhost"));
HttpClient client = new HttpClient();
HttpResponseMessage response = await client.SendRequestAsync(request);
}
catch (Exception ex)
{
// Something like: 'Untrusted, InvalidName, RevocationFailure'
Debug.WriteLine(String.Join(
", ",
request.TransportInformation.ServerCertificateErrors));
}
}
Using a HttpBaseProtocolFilter you can ignore certificate errors:
// using Windows.Web.Http;
// using Windows.Web.Http.Filters;
// using Windows.Security.Cryptography.Certificates;;
HttpBaseProtocolFilter filter = new HttpBaseProtocolFilter();
filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.Untrusted);
filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.InvalidName);
filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.RevocationFailure);
HttpClient client = new HttpClient(filter);
HttpResponseMessage response = await client.SendRequestAsync(request);
The piece I was missing turned out to be that the certificate wasn't in the list of of IIS Server Certificates on my local machine!
Opening IIS Manager and checking out the Server Certificates section, I did find a 127.0.0.1 SSL certificate already set up by the Azure emulator:
CN = 127.0.0.1
O = TESTING ONLY
OU = Windows Azure DevFabric
However, my own self-signed certificate that I made outside of IIS, also with CN=127.0.0.1, was not in the list. I imported it, and now my Windows Store app's HttpClient connects happily (certificate warnings went away in Chrome and IE as well!)
If anyone can firm up the technical details on this, please comment — this fix feels a bit magical and I'm not sure I can pinpoint precisely why this worked. Possibly some confusion on my part between the two certs for 127.0.0.1, even though the thumbprint I had configured in my Azure project was always the one I was intending to use?
I can't figure this out.
I've uploaded my cert to the role I need to use it from.
This works great from my machine, but it doesn't seem to work the Worker Role, while it's running.
I was having problems locally until I "Installed" this certificate - do I have to do that with Azure?
Any tips?
Thanks!
string certThumbprint = "8B6F1E6FEC6EB1D2EA8E86F78BD0841310BFD1F8";
X509Store certificateStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
certificateStore.Open(OpenFlags.ReadOnly);
var certs = certificateStore.Certificates.Find(
X509FindType.FindByThumbprint,
certThumbprint, false);
if (certs.Count == 0)
{
Console.WriteLine("Couldn't find the certificate with thumbprint:" + certThumbprint);
return;
}
A few helpful pointers:
Make sure you're running in elevated mode.
Make sure that the certificate has been uploaded to the LocalMachine\Personal store, not CurrentUser\Personal store.
Make sure that you've uploaded the .PFX file to the necessary Role, not .CER file to management certificates area. (You can remote into the instance to make sure that the cert is in the proper place)
"Can I" and "How to" use a self-signed certificate on the staging deploy of my cloud service?
Is there specials configurations necessary? i've checked a couple tutorials but they only mention https... and i don't to use HTTPS... i want to programmatically load a self-signed certificate...
i do can load the certificate... but i get the yellow screen of death saying "The X.509 certificate CN=mysite.com is not in the trusted people store."... how can i revert this using a self-signed certificate?!?!
i'm loading the certificate this way:
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
cert = store.Certificates.Find(X509FindType.FindByThumbprint, thumb, false);
EDIT: The certificate is here to make WS-Federation authentication possible...
I have an Azure Worker Role that I wish to call the Management Service (e.g. REST API) and collect information regarding related services. However, when I try to load my certificate it fails to find it. Here are the steps I followed:
1. I created a certificate using MakeCert and registered it as my Management Certificate via the portal
makecert -r -pe -a sha1 -n "CN=MyCnName" -ss My -len 2048
-sp "Microsoft Enhanced RSA and AES Cryptographic Provider" -sy 24 MyCert.cer
2. Installed the cert on my local machine and everything works fine. When running the Worker Role locally I can call the Management Service with no problems.
3. Exported the cert from my machine and registered the exported certificate under the target Hosted Service via the portal
4. Deployed the Role. When the Role starts it fails to find the cert.
Here is an extract of the code I'm using to find the cert.
// Open the certificate store for the current user.
var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); // I also tried localmachine
certStore.Open(OpenFlags.ReadOnly);
// Find the certificate with the specified subject.
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindBySubjectName,
_myConfiguration.SubjectName,
false);
if (certCollection == null || certCollection.Count < 1)
{
// Find the certificate with the specified thumbprint.
certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
_myConfiguration.ThumbPrint,
false);
}
// Close the certificate store.
certStore.Close();
// Check to see if a matching certificate was found.
if (certCollection.Count == 0)
{
_logger.Warn("No certificate found");
}
There is no exception, just no cert is found. Can anyone shed some light I what I need to do?
Figured out the problem... In addition to configuring the cert in the portal, I needed to add the certificate details (e.g. Name, Store, and Thumbprint) to the Azure Project Role settings under the Certificates Tab.
I have a similar problem for a web role, i have applied a workaround.
Connect with remote desktop to the VM where the service and
certificate are deployed
List item
Copy your cert or pfx on your
VM local disk (e.g C:)
Click on your pfx or .cert file and
install it on the specific certificate store "Trusted People")
Run your service, even if you are configured for search on a different
store you will find on trusted people
I don't know why my web role try to find the cert on this location if I am forcing to search on "My Store" location but the search method retrieve info from trusted people store.
The problem with this workaround is when you delete your deployment the cert and any other configuration will be wiped.
This piece of code could give you some information:
//the certificate must be in the Trusted People Store
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
try
{
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
//Commented
//Get the first available match from cert store
//X509Certificate2 cert = store.Certificates.Find(X509FindType.FindBySubjectName,
// subjectname,
// false)
// .Cast<X509Certificate2>()
// .FirstOrDefault();
X509Certificate2 cert = new X509Certificate2();
foreach (var ct in store.Certificates)
{
//Logger.TraceInformation(string.Format("Cert found: Subject {0} Tumbprt:{1}", ct.FriendlyName, ct.Thumbprint));
if (ct.SubjectName.Name.ToString().Contains("*.certnamexx.extensionxx"))
{
return new X509SecurityToken(ct);
}
}
}