I wanted to sign my binaries while deploying to Azure App Service through github (using Kudu underneath). I understand I can run a custom script for building the project. Maybe I could use this method to sign the binaries during the build process and deploy the signed bits? I suppose I can place my certificate in Azure Key Vault. How can I access this without checking in any secrets into github?
Anybody have experience with this?
You're on the right track here. A custom deployment script should do it:
http://blog.amitapple.com/post/38417491924/azurewebsitecustomdeploymentpart1
https://github.com/projectkudu/kudu/wiki/Custom-Deployment-Script
In Kudu you won't have Azure PowerShell installed, so you'll have to pull your certificate from Key Vault over REST.
UPDATE: Azure Functions do have the Azure RM cmdlets installed. You could write a Function App in PowerShell that pulls the cert from Key Vault. Use a Service Principal to Login-AzureRmAccount unattended.
The secrets needed to accomplish that should be kept in Application Settings. They are exposed to you in Kudu as Environment Variables: https://azure.microsoft.com/en-gb/documentation/articles/web-sites-configure/
App settings
This section contains name/value pairs that you web app will load on start up.
For .NET apps, these settings are injected into your .NET configuration AppSettings at runtime, overriding existing settings.
PHP, Python, Java and Node applications can access these settings as environment variables at runtime. For each app setting, two environment variables are created; one with the name specified by the app setting entry, and another with a prefix of APPSETTING_. Both contain the same value.
Alternatively, you could pull the certificate from App Service store (the "My" store). Here's how:
From https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/:
Adding an app setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. You can have multiple comma-separated thumbprint values or can set this value to * in which case all your certificates will be loaded to your web applications personal certificate store.
using System;
using System.Security.Cryptography.X509Certificates;
namespace UseCertificateInAzureWebsiteApp
{
class Program
{
static void Main(string[] args)
{
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
// Replace below with your cert's thumbprint
“E661583E8FABEF4C0BEF694CBC41C28FB81CD870”,
false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
X509Certificate2 cert = certCollection[0];
// Use certificate
Console.WriteLine(cert.FriendlyName);
}
certStore.Close();
}
}
}
No certificate validation is being done for you. You need to implement that yourself, by comparing to values stored in App Settings or Key Vault.
Related
In Azure you can setup an App Config and a KeyVault. The point of the KeyVault being to store more sensitive data than your App Config and be able to regulate access to the config and vault separately.
So what is the benefit of using a keyvault reference in the app config?
You are basically allowing anyone with access to the app config to access certain values in your keyvault and are bypassing the additional layer of security the vault normally provides.
The additional layer being required auth to the vault to access those same values if they aren't referenced in the config.
I really don't understand what benefit keyvault references give you.
This blog article by Jan de Vries explains them in more detail: https://jan-v.nl/post/2021/using-key-vault-with-azure-app-configuration/.
The relevant part for your question:
As it happens, the code for accessing App Configuration doesn’t give your application permission to retrieve secrets from Key Vault.
The application retrieves them from Key Vault, not from App Configuration.
App Config only holds the reference, not the actual value.
Official docs also mention this:
Your application uses the App Configuration client provider to retrieve Key Vault references, just as it does for any other keys stored in App Configuration. In this case, the values stored in App Configuration are URIs that reference the values in the Key Vault. They are not Key Vault values or credentials. Because the client provider recognizes the keys as Key Vault references, it uses Key Vault to retrieve their values.
Your application is responsible for authenticating properly to both App Configuration and Key Vault. The two services don't communicate directly.
I suppose there are different approaches to using the KeyVault, but the way I tend to use it is as follows.
My application will have a set of secrets, which I store locally using the Secrets Manager, you would add the secret for your application:
dotnet user-secrets set "Movies:ServiceApiKey" "12345"
Your application can then read this setting using _moviesApiKey = Configuration["Movies:ServiceApiKey"]; as you'll see in the link above. Obviously, there's no way you can see this value in the code, but your application can read it from the Secrets Manager.
If you do forget the values, you can use the following command to retrieve them:
dotnet user-secrets list
KeyVault will work as your Secrets Manager within Azure. So, your application will need to have permission to access the KeyVault, and in my case I store the Vault name in the appsettings.json, and during the bootstrapping, I include the KeyVault configuration if running in Production mode i.e. on the Azure Server and not locally.
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.ConfigureLogging(logging =>
{
logging.ClearProviders();
logging.AddConsole();
logging.AddAzureWebAppDiagnostics();
})
.ConfigureAppConfiguration((context, config) =>
{
if (context.HostingEnvironment.IsProduction())
{
IConfigurationRoot builtConfig = config.Build();
ConfigurationBuilder keyVaultConfigBuilder = new ConfigurationBuilder();
keyVaultConfigBuilder.AddAzureKeyVault(builtConfig["VaultName"]);
IConfigurationRoot keyVaultConfig = keyVaultConfigBuilder.Build();
config.AddConfiguration(keyVaultConfig);
}
})
.UseStartup<Startup>();
Note, the check for context.HostingEnvironment.IsProduction(). Within the appsettings, I have:
"VaultName": "https://yourkvname.vault.azure.net/"
So, the only reference I have to the KeyVault from the application is the name, and that should be secure as only the application will have access to the keys/secrets.
One thing to note, you need to make sure that the names match both for your local secrets and the ones in the KeyVault. In my case, I am running on a Windows platform, so I needed to make a small change to the names using double dashes (--) in place of the colon (:), so...
Movies:ServiceApiKey
Becomes
Movies--ServiceApiKey
When working in Azure, storing secrets in Key Vault is a good idea. And to make it better, there’s the Key Vault Reference notation. This feature makes sure no one can read the secret(s) unless someone grants permission.
Speaking of secrets, they should never be directly stored in application settings of a Function App (same goes for App Services by the way). Why not ? Because secrets would be available to anyone who has access to the Function App in the Azure Portal. The right way is to use an Azure Key Vault which is the Azure component for securely storing and accessing secrets 🔒. Once your secrets are in the key vault, you have to grant the Key Vault access to the identity of your Function App and you can then reference the secrets you need directly in your application settings. These are called Key Vault references because an application setting does not contain directly the value of a secret but a reference to the secret which is stored in Key Vault. When running, your function will automatically have access to the secret and its value as an environment variable, as if it was a normal application setting.
Key Vault references work for both App Services and Function Apps and are particularly useful for existing applications that have their secrets stored in settings because securing the secrets with Azure Key Vault references does not require any code change.
Reference: https://www.techwatching.dev/posts/azure-functions-custom-configuration
https://www.sharepointeurope.com/using-key-vault-references-with-azure-app-configuration/
I deployed my .net core application in azure. After deployment, I have faced this issue sometimes "The specified CGI application encountered an error and the server terminated the process.".
Its working fine when debug locally. Kindly help me how to fix this issue.
Have a look at this issue on Github. Apparently this can occur when you're trying to get a specific certificate that IdentityServer can't find.
I think I was failing to retrieve a certificate and this was causing a sudden stop when it was required.
Please take a look at (the somewhat dated) article Using Certificates in Azure Websites Applications
In short:
Upload the certificate (for instance to the Azure Portal)
Add app setting
Adding an app setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application.
Access the certificate:
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
“<YOUR_CERT_THUMBPRINT_HERE>”,
false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
X509Certificate2 cert = certCollection[0];
// Use certificate
}
I want to use certificates (uploaded, via the portal, to the cloud service deployment) in my cloud service webrole.
I would expect that - after uploading the certificates - they would be applied to my running web roles and I can then find the certificates via their thumb print.
I upload the certificate via the portal by going to my cloud service, selecting "Certificates" and then uploading the .pfx and providing the password.
This is the code I am using to try to get certificates:
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2 certificate = null;
foreach (X509Certificate2 cert in store.Certificates)
{
string certHash = cert.Thumbprint;
if (certHash.Equals(binding.SslThumbprint, StringComparison.OrdinalIgnoreCase))
{
certificate = cert;
break;
}
}
This works if I register the certificates in the .csdef file, but I need to be able to load the certificates dynamically. Changes to the .csdef file require deploying a new package - which is not an option.
There is a similar feature in azure websites that you can add a WEBSITE_LOAD_CERTIFICATES setting with a wildcard value to your app setting and then find them by thumbprint in the code. Basically I am looking for a similar feature in cloud services.
There is no ability to dynamically load certs uploaded to the Azure portal into a Cloud Role without specifying them first in the CSDEF/CSCFG files.
You can, however, upload your certs to some external storage (ie: Blob storage, SQL Azure db, etc or as Poul mentioned Key Vault) and load them from there.
HTH
I deployed a web application as a Web App on Azure App Service.
I uploaded some certificates to the Azure Portal, since the Web App runs over SSL, and we use another certificate to perform some decryption.
For the latter case I have a method (which works fine locally) to find a certificate:
public static X509Certificate2 FindCertificate(KnownCertificate certificate)
{
return FindCertificate(StoreName.My, StoreLocation.CurrentUser, X509FindType.FindByThumbprint, certificate.Thumbprint);
}
But I get an error that the certificate with thumbprint XYZ is not found. Although, on the Azure Portal it is present. (I had uploaded and imported it)
I am using StoreLocation.CurrentUser as suggested in THIS POST but it still does not work. Am I using the wrong store or what else am I missing?
EDIT: I have managed to remotetly debug my WebApp and with the ImmediateWindow feature of VisualStudio I have executed this code
new X509Store(StoreName.CertificateAuthority, StoreLocation.CurrentUser).Certificates.Find(findType, findValue, false).Count;
testing all possible combinations of StoreNames and StoreLocations but to no avail.
Is it possible like stated here that for using certificate with purposes other than https traffic you would need a Cloud Service and that (I suppose that) App Services do not support it?
You need to add WEBSITE_LOAD_CERTIFICATES to your web app App Settings. Set the value to either ' * ' or to the thumbprint of your certificate you want loaded into the web app environment. My personal preference is to set this value to ' * ', which means, load all certificates that have been uploaded.
After you apply this change you should be able to load your certificate from within your web app code.
More information on how to use certificates is available here. The article is a bit dated (in today's standards) but still relevant.
I have some difficulties in managing Azure certificates from my code.
Indeed I'm trying to use Azure REST Services API (e.g. creating HTTP requests) in order to know my services state from my Azure web site.
It works well in local debugging, but my web role seams to have some limitation with the certificates manager. Bellow is what I do:
// this method stores a certificate from the resources
// to the local certificates manager
private X509Certificate2 StoreCertificate(Certificates certName)
{
X509Certificate2 newCert = null;
// get certificate from resources
newCert = this.GetCertificateFromResources(certName);
// store it into the local certificate manager
if (newCert != null)
{
var store = new X509Store(
StoreName.TrustedPeople,
StoreLocation.LocalMachine
);
store.Open(OpenFlags.ReadWrite);
store.Add(newCert);
}
// reset ref and try to load it from manager
newCert = null;
newCert = this.GetCertificate(certName);
return newCert;
}
An Access is denied error appends when I try to add the certificate.
Any idea ? Can I store certificates into the Azure VM ?
Should I use a special location to store those ?
Are you using a Cloud Service (web/worker role)? If so, which OS family? I've seen some reports that with a worker role using OS family 3, you need to run the role with elevated permissions in order to read certs from the local cert store. Not sure if that applies to web roles as well and adding to the cert store.
Has the service cert been added via the Azure management portal as well (or via the REST API or PowerShell)?
Well I have found lot of things:
I was deploying my code in a web site so that I cannot add a certificate to the Shared VM in Azure
I have tried to connect to the VM in a remote desktop session and I added a certificate manually.
Even in this case, I have an (403) Forbidden error in an InvalidOperationException.
So here is the current state:
a certificate has been created (makecert) and added manually in the VM that hosts my web role (deployed in a service)
this certificate has been uploaded to both the Azure Account certificates and to the Azure service certificates (the one that deploys my web role)
the thumbprint of this certificate has been added in my code and I can access to the certificate when my code is executed
So 2 questions:
Is there something I should do with my certificate ?
When I try my web role locally in the Azure emulator, everything works. Is there a special setting to update during the publish / deploy step ?
Thanks for your help.
In order to save the time of other developers, here is what I did to solve the main problem:
connect to the VM that deploys the web role: see there
create the certificate: see there
Eventually plays with the certificates manager (mmc.exe)
Then the certificate is available from the code.