We are developing an Azure webjob that needs to communicate to several servers, each one of them demanding a separate SSL connection.
We have our certificates stored in an external server and load them at runtime together with the corresponding SSL connection settings. When we invoke the X509Certificate2 constructor in order to add it to the X509CertificateCollection, the webjob gets stopped with exit code -1073740940 and its status becomes "PendingRestart". Our guess is that the X509Certificate2 class is not compatible with webjobs, but we cannot find any hint on how to tackle this issue.
The code line that generate the issue is-
new X509Certificate2(sslCertificateBytes,
socketSettings_.CertificatePassword))
private X509CertificateCollection GetClientCertificates(byte[] sslCertificateBytes)
{
log_?.OnEvent($"{nameof(SSLStreamFactory)} function {nameof(GetClientCertificates)} started");
X509CertificateCollection result = new X509Certificate2Collection();
log_?.OnEvent($"{nameof(X509CertificateCollection)} {nameof(result)} construction successfull");
try
{
if (sslCertificateBytes != null)
{
log_?.OnEvent($"{nameof(sslCertificateBytes)} enumerable != null");
result.Add(new X509Certificate2(sslCertificateBytes, socketSettings_.CertificatePassword));
log_?.OnEvent($"result.Add successful");
}
else if (!string.IsNullOrEmpty(socketSettings_.CertificatePath))
{
log_?.OnEvent($"{nameof(socketSettings_.CertificatePath)} != null");
result = new X509Certificate2Collection();
log_?.OnEvent($"{nameof(X509CertificateCollection)} {nameof(result)} construction successfull");
var clientCert = StreamFactory.LoadCertificate(socketSettings_.CertificatePath, socketSettings_.CertificatePassword, log_);
log_?.OnEvent($"{nameof(StreamFactory.LoadCertificate)} function ended");
if (clientCert != null)
{
result.Add(clientCert);
log_?.OnEvent($"result.Add successful");
}
}
}
catch (Exception ex)
{
log_?.OnEvent($"{nameof(SSLStreamFactory)} function {nameof(GetClientCertificates)} raised exception: {ex.Message}");
throw;
}
log_?.OnEvent($"{nameof(SSLStreamFactory)} function {nameof(GetClientCertificates)} ended");
return result;
}
Is there a way to manage SSL certificates on Azure Webjobs?
Thanks in advance
Azure webjobs run into the same environment of its parent webapp. You can follow this article to import certificates into a webapp :
Using Certificates in Azure Websites Applications
In a nutshell:
Upload the certificate to Azure.
Add an app setting called WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate (make it accessible to your web application)
Important thing to remember:
The certificates will be installed to the Personal certificate store of the ApplicationPool Identity of the worker process.
So to access the certificate from your webapp or webjob:
var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
// Replace below with your cert's thumbprint
"E661583E8FABEF4C0BEF694CBC41C28FB81CD870",
false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
X509Certificate2 cert = certCollection[0];
}
certStore.Close();
Related
I got success in checking cert is present in my current user by local execution process. But when I publish the same code on IIS, I am unable to get a certificate.
Please guide changes in code or settings for code publish on IIS.
using System;
using System.Linq;
using System.Security.Cryptography.X509Certificates;
string certThumbprint = "E661583E8FABEF4C0BEF694CBC41C28FB81CD870";
bool validOnly = false;
using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
// Replace below with your certificate's thumbprint
certThumbprint,
validOnly);
// Get the first cert with the thumbprint
X509Certificate2 cert = certCollection.OfType<X509Certificate>().FirstOrDefault();
if (cert is null)
throw new Exception($"Certificate with thumbprint {certThumbprint} was not found");
// Use certificate
Console.WriteLine(cert.FriendlyName);
// Consider to call Dispose() on the certificate after it's being used, available in .NET 4.6 and later
}
I have a project that communicates with a client server, the client server sends a self-signed certificate and I should trust him in order the continue the connection.
private bool VerifyServerCertificate(LdapConnection ldapConnection, X509Certificate certificate)
{
foreach (var cert in CertificateFileNames)
{
var certPath = Directory.GetFiles($#"{AppDomain.CurrentDomain.BaseDirectory}", $"{cert}",System.IO.SearchOption.AllDirectories);
X509Store store = new X509Store(StoreName.TrustedPeople, StoreLocation.CurrentUser);
try
{
if (File.Exists(certPath.FirstOrDefault()))
{
var certToAdd = new X509Certificate2(X509Certificate.CreateFromCertFile(certPath.FirstOrDefault()));
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, certToAdd.SubjectName.Name, true);
if (certs.Count.Equals(0))
{
store.Open(OpenFlags.ReadWrite);
store.Add(new X509Certificate2(X509Certificate.CreateFromCertFile(cert)));
store.Close();
}
}
}
catch
{
throw new Exception("Cannot install the certificate.");
}
}
X509Certificate2 certificate2 = new X509Certificate2(certificate);
return certificate2.Verify();
}
This works fine but the project needs to be deployed as a Azure app service. So my question is, the app service environment does it have a "Trusted People" storage ?
The method receives de X509certificate from the connection and verify against the trusted people storage so I need to install the certificates before the validation.
Thanks.
I'm trying to use an Apple push certificate in an Asp.NET Core 1.1 app but it cannot find any certificates.
I uploaded the cert and set WEBSITE_LOAD_CERTIFICATES to *(all).
The following code is what I use to get the certificate
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
try
{
store.Open(OpenFlags.ReadOnly);
var certCollection = store.Certificates;
var signingCert = certCollection.Find(X509FindType.FindByThumbprint, thumbprint, false);
if (signingCert.Count == 0)
{
throw new FileNotFoundException(string.Format("Cert with thumbprint: '{0}' not found in local machine cert store.", thumbprint));
}
return signingCert[0];
}
What am I missing?
It seems that you'd like to upload your certificate to the certificates collection in Azure Websites and consume it in your web application from your site’s personal certificate store. I'm upload my certificate and use the following code to consume it in Asp.NET Core 1.1 app, the code works for me.
X509Certificate2 retVal = null;
var thumbprint = "{cert_thumbprint}";
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var certCollection = store.Certificates;
var signingCert = certCollection.Find(X509FindType.FindByThumbprint, thumbprint, false);
if (signingCert.Count > 0)
{
retVal = signingCert[0];
}
Remote debug the code and the code works fine on azure website
Help please, I'm building a .NET Core API with ionic front end. I want to use ASPNET Core Identity so I was more or less following this example
https://identityserver4.readthedocs.io/en/release/quickstarts/6_aspnet_identity.html
here is what I have in Startup.cs
// Adds IdentityServer
services.AddIdentityServer()
.AddTemporarySigningCredential()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients(Configuration))
.AddAspNetIdentity<ApplicationUser>();
and
app.UseIdentity();
app.UseIdentityServer();
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = API_address,
RequireHttpsMetadata = false,
ApiName = "myAPIs"
});
and in my Config.cs file for in memory configurations I have
public class Config
{
// scopes define the resources in your system
public static IEnumerable<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
};
}
// scopes define the API resources in your system
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource(
"myAPIs", // Api resource name
"My API Set #1", // Display name
new[] { JwtClaimTypes.Name, JwtClaimTypes.Role }) // Claims to be included in access token
};
}
// client want to access resources (aka scopes)
public static IEnumerable<Client> GetClients(IConfigurationRoot configuration)
{
return new List<Client>
{
new Client
{
ClientId = "myClient",
ClientName = "My Custom Client",
AllowedCorsOrigins = new List<string>
{
"whateverINeedHere"
},
AccessTokenLifetime = 60 * 60 * 24,
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
RequireClientSecret = false,
AccessTokenType = AccessTokenType.Jwt,
AllowedScopes =
{
"myAPIs"
}
}
};
}
}
Now the problem is that when I test this locally, everything works just fine.
I hit the /connect/token endpoint, I get a token response, hit the controller that needs token authorization and my claims are there. But when I deploy it to Azure, when I want to use the token (issued from that environment) I get 401 Unauthorized with response header invalid_token "The issuer is invalid". I've Googled, but people get invalid tokens with signature problems, not issuer. I've never used identity server before and to me this looks like it's some configuration problem. I have compared tokens I get from identity server on jwt.io, they look exactly the same, only difference being the issuer localhost -> myAPIAddress.
Can someone point me to the right direction?
This smells like it could be the temporary signing credentials. I also ran into problems when deploying to Azure when my cert wasn't loading.
I suggest you create a self signed cert and add it to azure using the following instructions. (Note this can be done in the new portal).
https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/
REMEMBER: Make sure you add the WEBSITE_LOAD_CERTIFICATES application setting!
Also for your benefit, here's the code I use to load the cert in my startup.cs. I keep a copy of the cert in the repository so I can load it from disk as a fallback (when I'm on my dev machine).
X509Certificate2 cert = null;
using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
// Replace below with your cert's thumbprint
"A9781679661914B7539BE020EE9C4F6880579F42",
false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
cert = certCollection[0];
// Use certificate
Log.Logger.Information($"Successfully loaded cert from registry: {cert.FriendlyName}");
}
}
// Fallback to local file for development
if (cert == null)
{
cert = new X509Certificate2(Path.Combine(_env.ContentRootPath, "myauth.pfx"), "mypassword");
Log.Logger.Information($"Falling back to cert from file. Successfully loaded : {cert.FriendlyName}");
}
services.AddIdentityServer()
.AddSigningCredential(cert)
Could be you've got an SSL/TLS issue between client and IdentityServer, are you able to view logged exceptions from IdentityServer itself? You may see something like:
"... Could not establish trust relationship for the SSL/TLS..."
If you're running IdentityServer on HTTPS you need to make sure you've got its domain/sub-domain in your certificate.
Either way, IdentityServer logs lots of useful info so turn on logging and check out what it says, that should point you in the right direction.
I have a MOSS 2007 farm that requires a client certificate to access. I have written several methods that use the built in SharePoint services to retrieve data from the site. However, outside of my local test environment everything requires a client cert to access the services.
My method for retrieving the cert is:
private static X509Certificate2 GetCertCreds()
{
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
try
{
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindBySubjectKeyIdentifier, "SiteIdentityCertificateSerialNumber", true);
Assert.IsNotNull(certs);
return certs[0];
}
finally
{
store.Close();
}
}
Then in use I have to have something LIKE:
using (ListsServiceProxy.Lists service = new ListsServiceProxy.Lists())
{
service.Crendentials = GetCredentials();
XmlNode idResultsNode = service.GetListItems(documentLibraryName, null, queryNode, viewNode, "1", optionNode, null);
}
This is not compiling because of the type mismatch. Am I going about this the wrong way? If not is there a way to use the certificate as the services credentials? I think in end what I'm trying to do is convert an X509Certificate2 to ICredentials. Any help or advice would be greatly appreciated.
It turns out I had it all wrong. To correctly do this I replaced:
service.Credentials = GetCertCreds()
with
service.ClientCertificates.Add(GetCretCreds());
Adding the certificate into the service's client certificates collection is all that needed to happen.