Thinktecture in windows azure web sites SSL issue - azure

I have deployed the thinktecture identity server in the windows azure website role.The issue I am facing is with the SSL certificate.If I don't have a custom domain name I am forced to use *.azurewebsites which already have a certificate from microsoft and the app pool account is not able to read the private key of this certificate so it's throwing an error.
Did someone have the same issue or any ideas about what I can do to resolve it.
Thanks

The SSL and signing certificate don't need to be the same. Use the MS SSL cert (for now) and generate a separate cert for signatures. That cert can then be uploaded so that you can programmatically access it.

Related

Issue within certification chain using azure application gateway

I'm using an Azure Application Gateway v2 to route traffic to a backendpool containing VMs running some docker container hosting an aspnet core webapi. The application is listeing in port 443.
The gateway listener is configured to accept HTTPS connections. A pfx certificate has also been added.
The HTTP setting of the gateway is configured as follow:
I've provided, hopefully, the correct root certificate for the setting. I've exported the certifacte as described here:
https://learn.microsoft.com/de-de/azure/application-gateway/certificates-for-backend-authentication
All VMs from the backend pool use the same certificate as the gateway listener.
When calling the api using a C# application or open a specific url within a browser, the connections seems to be trusted.
But I get an error when calling the api using postman with endabled SSL cerificate verification.
Error: unable to verify the first certificate
A check on sslhopper.com also indicates an issue within the chain.
I got further information doing a chekc on digicert.com.
TLS Certificate is not trusted
The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.
I'm really stuck in resolving the issue. All helpful hints are very welcome.
The production environment, running on a Windows Server, wihtout the Gateway but the same certificates is valid. So the issue must be somewhere in the gateway configuration.
The issue is resolved. The crucial clue was delivered from a blog post.
http://blog.repsaj.nl/index.php/2019/08/azure-application-gateway-certificate-gotchas/
Gateway V2: the importance of the certificate chain
I did a new export of the pfx certificate including the whole chain and uploaded it to the gateway.
If the cert is not trusted, then you need to check the Application Gateway Listener. Make sure that you are not using Basic listener.
If you are using multi-site listener, make sure that the host name which you have mentioned matches with the certificate CN

Certificate based Azure VPN Connection - How Does it work?

I followed this link https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps#Certificates to create a VPN in Azure. So,
I created a root certificate and uploaded to management portal.
Used PS script to create the VPN
Created client certificate and installed the VPN Client package.
My VPN is working as expected. My question is now can I delete this certificate from management store now ? Is it must to upload the certificate to management store to create this VPN ? How does the authentication works in this case ?
My question is now can I delete this certificate from management store
now ?
By default, we can't delete this certificate.
Is it must to upload the certificate to management store to create
this VPN ?
Yes, we have to upload the certificate to it, it is a by design behavior.
We can publish our public certificate to Internet, we only should keep the private certificate.
How does the authentication works in this case ?
Here a blog about how does certificate-based authentication work, please refer to this link.
you cannot delete the root certificate that you uploaded to Azure. It is used to authenticate the certificates presented by the connecting clients.

Azure App Service SSL Certificate Not Trusted

https://www.ssllabs.com/ssltest/analyze.html?d=recruit.equitysim.ai
Situation:
A client needs to access our site over a secure connection but is unable to do so because of a problem with our certificate.
We purchased a wildcard certificate and set it up as per the documentation. If you notice in the provided link, our certificate is trusted.
We are using the Azure App Service to host our website on a paid level that includes custom domain and SSL support.
Problem:
According to the test, it appears that Microsoft's SSL certificate is not trusted - alternative names mismatch (See Certificate #2). We believe this to be the reason why our client is unable to access our site.
Any thoughts on the matter? We know it isn't an SNI problem because we have another site that is hosted on a VM that also requires SNI support and they can visit that site just fine.

Installing certificates to the trusted root certificate store on azure web apps

How can I install a certificate into an Azure Web App so that my azure webapp can communicate with a remote service via SSL (this particular certificate is not signed by a public CA)
I generated an ssl certificate with openssl and when I install it to the trusted root certificate authentication store on my local computer the runs fine. However when I upload the cert via the management portal I get errors that the certificate isn't trusted (which is correct) and the correct error for when a certificate is not installed.
How can I install a private SSL certificate into the trusted root certificate store on an azure web app?
Unfortunately, we cannot add a certificate to the trusted certificate authority on an Azure Web App. The security implications would be quite bad if that were possible. More detail info please refer to another SO thread.
But We can use Azure Cloud Service that allowed us to do that. More info please refer to the document.
If we want to install certificates to Personal certificate store , we could upload a .pfx file to the Azure App, and add an App setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. Then the certificates will be installed to the Personal certificate store . More detail please refer to Using Certificates in Azure Websites Applications.
How to obtained an SSL certificate please refer to the official document Secure your app's custom domain with HTTPS.
 
The easiest way to get an SSL certificate that meets all the requirements is to buy one in the Azure portal directly. This article shows you how to do it manually and then bind it to your custom domain in App Service.

Can the ssl certificate and remote access certificate be the same?

All, I just configured SSL for my cloud service with self-signed certificate by following steps.
create self-signed certificate using makecert.exe.
import the certificate to the cloud service. and also import the
certificate to local machine personal store.
add certificate configuration for the web role in the visual studio
2010.
publish the project to cloud services.
and It works fine.
But when I tried to import RemoteAccess and RemoteForwarder modules to the configuration.
and use the same certificate for the SSL and RemoteAccess.
the publish action will fail with the error:
the remote desktop certificate with thumbprint xxxxx does not have a type of key exchange and can not be used for decryption.
When I remove the RemoteAccess. Everything will be fine.
Did anyone ever encounter this issue before ? I didn't know if it is allowed for the cloud service . I mean using the same certificate for the SSL and RemoteAccess. Thanks.
I think the problem is you don't have key exchange property for your certificate, instead of using the same certificate for SSL and remote. Maybe you can add -sky exchange parameter for makecert.exe and try again.

Resources