azure webapp access a CRM secure site with ssl - azure

I have a .NET Web App on Azure space, that needs to communicate with our CRM server via Microsoft.Xrm.Client and .Portal. The CRM site is protected by SSL, we issue our own pfx files.
Currently the app brings up a "The remote certificate is invalid according to the validation procedure." error.
Is there any way to install a pfx file enabling our app to talk to our secure CRM system on our Azure account. What is the minumim pricing plan that would enable this facility?

You can read how to upload certificates and load them into the website context here,
https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/
Remember to set the appsetting WEBSITE_LOAD_CERTIFICATES in the portal to the thumbprint or * for the certificate to be accessible from the web app.
I believe this is available even on the free plan. (But could be wrong, as normally play with SSL certs which do require Basic plan)

Related

Mutual SSL Authentication in Azure App Service

I am using Azure App Service to access a webservice hosted elsewhere. The webservice requires mutual TLS Authentication.
I have been given the public certificate from the provider of the webservice but where do I install this public certificate in Azure? In a traditional server environment, I would install in the certificate store. But in Azure, do I install it on the application gateway? or the Vault? How does Azure app service know where the certificate is installed and present it?
Private and Public certificates can be uploaded to Azure Web App: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal
Code running in Azure Web App can access those certificates in different ways, it depends on what language and runtime your application is using: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code
In regards to your other questions:
"do I install it on the application gateway"?
From what I understand, your application is going to make outgoing calls to a webservice hosted elsewhere. Azure Web App outgoing traffic does not go through Application Gateway - so no, in your case storing certificate in Azure Web App and accessing it from the code is a good solution.
"or the Vault"? Azure Web App can also store certificates in Azure Key Vault. Your code could also connect to Azure Key Vault directly, bypassing Azure Web App key store altogether.
Finally, "How does Azure app service know where the certificate is installed and present it?" Please see the first two links I provided.
In the future, Azure has an excellent documentation on all of their products, a simple search engine search typically helps to narrow down many primitive answers.
Welcome to StackOverflow!

Azure - Can we use Service Management API to create/update/Delete Resource with XAMPP Localhost?

Can we use Service Management API to create/update/Delete Resource with XAMPP Localhost? They seek Certificates .cer and .pfx. I have uplaoded under Azure panel and unser my service -> SSL Settings.
When I am trying to make a connection from my local machine for Service API it still giving me exception Certificate not found. I am using PHP SDK for Azure. [package : "microsoft/windowsazure": "^0.5"]
can someone please guide me how to make conneciton from local and what if I want to make it in production?
Was using wrong format of certificates, it needs .pem file absolute path. .cer must have to be imported under your Subscription Management certificates in Azure portal

Azure - Why can I not upload an SSL certificate?

Question Background:
I am trying to upload an SSL certificate to Azure for my web app.
The Issue:
I located the SSL Certificate option within the settings and the following is shown.
There should be an option to upload my own SSL certificate but this is not present, why not?
In Azure App Service, you can only configure SSL on a custom domain if you are on a Basic pricing plan or Higher. The Free and Shared pricing plans do not support SSL configuration with custom domains.

Installing certificates to the trusted root certificate store on azure web apps

How can I install a certificate into an Azure Web App so that my azure webapp can communicate with a remote service via SSL (this particular certificate is not signed by a public CA)
I generated an ssl certificate with openssl and when I install it to the trusted root certificate authentication store on my local computer the runs fine. However when I upload the cert via the management portal I get errors that the certificate isn't trusted (which is correct) and the correct error for when a certificate is not installed.
How can I install a private SSL certificate into the trusted root certificate store on an azure web app?
Unfortunately, we cannot add a certificate to the trusted certificate authority on an Azure Web App. The security implications would be quite bad if that were possible. More detail info please refer to another SO thread.
But We can use Azure Cloud Service that allowed us to do that. More info please refer to the document.
If we want to install certificates to Personal certificate store , we could upload a .pfx file to the Azure App, and add an App setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. Then the certificates will be installed to the Personal certificate store . More detail please refer to Using Certificates in Azure Websites Applications.
How to obtained an SSL certificate please refer to the official document Secure your app's custom domain with HTTPS.
 
The easiest way to get an SSL certificate that meets all the requirements is to buy one in the Azure portal directly. This article shows you how to do it manually and then bind it to your custom domain in App Service.

Is it possible to use client certificates in Windows Azure Websites

I am developing a windows service application that will run on customer PC/servers and access a Web API endpoint hosted in an Azure Website. It needs to authenticate the user, and I would prefer not storing credentials on the customer's machine. So, I've landed on client certificates to authenticate the users. I have this working against a local, non-Azure Website IIS instance with self-signed certificates. However, I'm unable to get it working in an Azure Website.
As far as I can tell, there are two issues that I'm not finding much documentation on:
How do I install my own CA certificate in the Trusted Root of the Website instance(s)? Or will this only work with CA certificates that are already trusted?
How do I enable "Accept Client Certificates" for this application? In IIS you do this under "SSL Settings". Documentation indicates that modifying the system.webServer/security/access node of app.config will accomplish this, but obviously you can't do that in Websites. Documentation for websites suggests this node is unlocked for use in web.config, however adding that node results in an error "The page cannot be displayed because an internal server error has occurred.", even if custom errors is off.
For Azure web sites vs web roles client authentication options are rather limited. Websites don't let you run programs with elevated permissions, which is required for making IIS changes and storing certificates into the trusted root.
There's a way to configure you website to always (you don't get the benefit of making it optional as with IIS 'Accept' configuration) request client certificate. This feature is currently only available through Azure management REST API, you can't access it through the portal UI. You can find more information here.
Essentially you turn on clientCertEnabled website setting to true. The mechanics of this option are different from traditional client authentication where server needs to have a CA certificate with which the client cert is signed in its trusted root. The server doesn't run any validation on the client certificate, the application needs to run the cert check itself, which comes in a request header "X-ARR-ClientCert". GetClientCertificate() extension method on HttpRequestMessage will parse it automatically.
Alternatively, you can host your Web API as a web role. That gives access to running startup tasks with elevated permissions that allows access to trusted root and making IIS configurations, more details/examples here. You can either copy the CA certificate to the app folder or upload to the user store via Azure portal so that it is available for copying over to the trusted root in a startup task. IIS changes can be made via “Microsoft.Web.Administration” library available as NuGet package through ServerManager class.
For question 2, here's a blog post on how to install client certificates on Azure Websites: http://azure.microsoft.com/blog/2014/10/27/using-certificates-in-azure-websites-applications/
For question 1, you can't install your own CA certs as trusted root certificates, but if you have certs from a CA that's already trusted then you can use them without any issues.

Resources