How to use certificate in Azure worker role? - azure

I can't figure this out.
I've uploaded my cert to the role I need to use it from.
This works great from my machine, but it doesn't seem to work the Worker Role, while it's running.
I was having problems locally until I "Installed" this certificate - do I have to do that with Azure?
Any tips?
Thanks!
string certThumbprint = "8B6F1E6FEC6EB1D2EA8E86F78BD0841310BFD1F8";
X509Store certificateStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
certificateStore.Open(OpenFlags.ReadOnly);
var certs = certificateStore.Certificates.Find(
X509FindType.FindByThumbprint,
certThumbprint, false);
if (certs.Count == 0)
{
Console.WriteLine("Couldn't find the certificate with thumbprint:" + certThumbprint);
return;
}

A few helpful pointers:
Make sure you're running in elevated mode.
Make sure that the certificate has been uploaded to the LocalMachine\Personal store, not CurrentUser\Personal store.
Make sure that you've uploaded the .PFX file to the necessary Role, not .CER file to management certificates area. (You can remote into the instance to make sure that the cert is in the proper place)

Related

How to manage signed certificates with Azure Function V2

I am working on Azure Functions App on Consumption Plan. The Func App required to load a specific signed certificate.
In local machine I setup the certificate as personal certificate and everything works fine.
After publishing on azure, I am getting this error:
There are 0 certificates with the subject name cert.name in LocalMachine, MyUse scripts/certificates/ to generate this
Nothing helpful on SO or even in Azure Func documentation on how to use certificate with azure functions.
Anyone has experience with that?
I got it and it's pretty straight forward.
First go to platform features under your Function App and you should find SSL as shown below.
Then you can add a public, private or SSL certificate based on your needs. In my case I want to add a private Certificate which i already exported and have it's private key.
After uploading your certificate, go to your app settings and add this key/value:
WEBSITE_LOAD_CERTIFICATES: "Your Cert Thumbprint"
You should be able to load the certificate using this Thumbprint like this:
using System;
using System.Security.Cryptography.X509Certificates;
...
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
// Replace below with your certificate's thumbprint
"000000000000000000000000000000000000000",
false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
X509Certificate2 cert = certCollection[0];
// Use certificate
Console.WriteLine(cert.FriendlyName);
}
certStore.Close();
...

Read Azure default wildcard certificate from ASP.NET Core

I'm putting up a staging environment in an Azure App Service. That sits under the Free Tier, where you cannot upload custom SSL certificates. In order to test my ASP.NET Core application setup, and specifically if it can correctly load a certificate from store, I'd like to try that without having to satisfy all requirements for a trusted certificate (change tier, get domain, get certificate, ...).
I'm aware about Let's Encrypt, but that would still force me to switch tier in order to add a certificate to Azure app service. Plus, I'm not sure you can create a certificate for a domain some-site.azurewebsites.net (I've read something somewhere against using anything related to azurewebsites.net for a custom certificate), so maybe that would also need a custom domain anyway.
I was wondering if there's a way to access, from application code, the default wildcard certificate that MS owns for *.azurewebsites.net. So something like grabbing MS Azure certificate thumbprint, storing it in WEBSITE_LOAD_CERTIFICATES app setting, then load it from store as done here in chapter 3. Access from app".
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
"insert-here-thumbprint-of-azure-default-cert",
false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
X509Certificate2 cert = certCollection[0];
// Use certificate
Console.WriteLine(cert.FriendlyName);
}
certStore.Close();
Is this doable? TA.
Apparently, another SO thread has the answer. The gist of it is:
You will not be able to access this certificate programmatically in your WebApp as this certificate is not really installed on the Azure WebApp.
Not sure if this should be closed as duplicate.

Azure App Service 502.5 error response when loading a certificate using X509Certificate2

I have a .NET Core application that I'm trying to deploy to Azure App Service. When I deploy and try to load the site I'm getting a 502.5 error response. From what I've read that means it's a permissions issue. I've tried printing the logs with stdout, but while it physically creating the log files, they are all empty.
So I started eliminating the problem by commenting out code. On ConfigureServices I'm loading a certificate:
var certificate = new X509Certificate2("mycertificate.pfx", "**********");
If I comment out this line, then the application loads. Once returned it gives the error again.
From console in the Azure portal I've tried giving mycertificate.pfx permissions using chmod 777 mycertificate.pfx, but it didn't seem to have any affect.
I'm not sure if the problem is loading that specific file or using X509Certificate2 at all.
How can I set it up to work?
How can I set it up to work?
1.Upload pfx Certificate to the Azure with azure portal. It is required service plan B or above. How to change service plan please refer to this document
Add an App setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application.
You can have multiple comma-separated thumbprint values or can set this value to “ * “ (without quotes) in which case all your certificates will be loaded to your web applications personal certificate store
3.Access from WebApp
using System;
using System.Security.Cryptography.X509Certificates;namespace UseCertificateInAzureWebsiteApp
{
class Program
{
static void Main(string[] args)
{
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
// Replace below with your cert's thumbprint
“E661583E8FABEF4C0BEF694CBC41C28FB81CD870”,
false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
X509Certificate2 cert = certCollection[0];
// Use certificate
Console.WriteLine(cert.FriendlyName);
}
certStore.Close();
}
}
}
We could get more info from document.

Unable to access my X509Certificate2's PrivateKey In Azure

I have my X509Certificate stored in a database (in byte[]) so that my application can retrieve the certificate and use it to sign my JWTs.
My x509Certificate is passed off a .pfx file that I generated on my machine, however now it sits in a database as a string of bytes.
My application works perfectly fine locally when I run it. The application can correctly create an instance of that X509Certificate2 and use it for my requirements, however the problem arises when I try to use it in my azurewebsites web application.
Basically I can not access the certificates' PrivateKey instance variable, I get an exception
System.Security.Cryptography.CryptographicException: Keyset does not exist
And I am re-instantiating the certificate with this
var cert = new X509Certificate2(myCertInBytes, myCertPass,
X509KeyStorageFlags.PersistKeySet |
X509KeyStorageFlags.MachineKeySet |
X509KeyStorageFlags.Exportable);
I am using ASPNET 5 rc1-update1. I have also tried running this on a different machine and it works fine, only have this issue when I publish to Azure. And to also add something else, This application was working when I was running the same project that was running using DNX version beta7
Any help appreciated.
The problem is the Azure Web Apps restricts access to the machines private key store, since it's a shared hosting environment, and you don't fully own the machine. As a workaround, you can load a cert. This blog post describes the best practice on how to do so:
https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/
Please note that this only works for Basic Tier and above (not Free or Shared tier).
This can also be done from a .cer file as follows, however it should be noted that this is not best-practices since you're storing a secure credential with your code, in an insecure format.
public X509Certificate2 CertificateFromStrings(String certificateString64, String privateKeyXml)
{
try
{
var rsaCryptoServiceProvider = new RSACryptoServiceProvider();
rsaCryptoServiceProvider.FromXmlString(privateKeyXml);
var certificateBytes = Convert.FromBase64String(certificateString64);
var x509Certificate2 = new X509Certificate2(certificateBytes);
x509Certificate2.PrivateKey = rsaCryptoServiceProvider;
return x509Certificate2;
}
catch
{
return null;
}
}

Unable to load certificate instance from within Azure Worker Role

I have an Azure Worker Role that I wish to call the Management Service (e.g. REST API) and collect information regarding related services. However, when I try to load my certificate it fails to find it. Here are the steps I followed:
1. I created a certificate using MakeCert and registered it as my Management Certificate via the portal
makecert -r -pe -a sha1 -n "CN=MyCnName" -ss My -len 2048
-sp "Microsoft Enhanced RSA and AES Cryptographic Provider" -sy 24 MyCert.cer
2. Installed the cert on my local machine and everything works fine. When running the Worker Role locally I can call the Management Service with no problems.
3. Exported the cert from my machine and registered the exported certificate under the target Hosted Service via the portal
4. Deployed the Role. When the Role starts it fails to find the cert.
Here is an extract of the code I'm using to find the cert.
// Open the certificate store for the current user.
var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); // I also tried localmachine
certStore.Open(OpenFlags.ReadOnly);
// Find the certificate with the specified subject.
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindBySubjectName,
_myConfiguration.SubjectName,
false);
if (certCollection == null || certCollection.Count < 1)
{
// Find the certificate with the specified thumbprint.
certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
_myConfiguration.ThumbPrint,
false);
}
// Close the certificate store.
certStore.Close();
// Check to see if a matching certificate was found.
if (certCollection.Count == 0)
{
_logger.Warn("No certificate found");
}
There is no exception, just no cert is found. Can anyone shed some light I what I need to do?
Figured out the problem... In addition to configuring the cert in the portal, I needed to add the certificate details (e.g. Name, Store, and Thumbprint) to the Azure Project Role settings under the Certificates Tab.
I have a similar problem for a web role, i have applied a workaround.
Connect with remote desktop to the VM where the service and
certificate are deployed
List item
Copy your cert or pfx on your
VM local disk (e.g C:)
Click on your pfx or .cert file and
install it on the specific certificate store "Trusted People")
Run your service, even if you are configured for search on a different
store you will find on trusted people
I don't know why my web role try to find the cert on this location if I am forcing to search on "My Store" location but the search method retrieve info from trusted people store.
The problem with this workaround is when you delete your deployment the cert and any other configuration will be wiped.
This piece of code could give you some information:
//the certificate must be in the Trusted People Store
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
try
{
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
//Commented
//Get the first available match from cert store
//X509Certificate2 cert = store.Certificates.Find(X509FindType.FindBySubjectName,
// subjectname,
// false)
// .Cast<X509Certificate2>()
// .FirstOrDefault();
X509Certificate2 cert = new X509Certificate2();
foreach (var ct in store.Certificates)
{
//Logger.TraceInformation(string.Format("Cert found: Subject {0} Tumbprt:{1}", ct.FriendlyName, ct.Thumbprint));
if (ct.SubjectName.Name.ToString().Contains("*.certnamexx.extensionxx"))
{
return new X509SecurityToken(ct);
}
}
}

Resources