Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

An Azure App Service cannot load a pfx certificate from the wwwroot filesystem

Tags:

certificate

ssl

asp.net-core

pfx

azure

I have a simple ASPNET-Core 2 web app on Azure App Services. When I try and load the pfx file, I get the following error:

WindowsCryptographicException: The system cannot find the file specified Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)

I'm trying to load a pfx file, which exists in the wwwroot folder.

Problematically, I have proven that the pfx file exists.

I then have tried to load the X509 cert via these two ways:

clientCertificate = new X509Certificate2(certificateByteArrayData, pfxPassword);

and

clientCertificate = new X509Certificate2(filePath, pfxPassword);

if I have a bad password, I get a correct-bad-password exception.

But with a (what I believe to be is) legit path + password or loaded bytes + password, I get that error, above.

It's like the certificate is trying to do some weird admin-type-thingy on the server and doesn't have permission? Which I don't understand because I have the cert there and I just want to use it?

I know there's other ways to do this with Loading SSL Certs or using Azure Vault or other people have found similar problems but are related to 'user stores' etc, while here I thought this has nothing to do with it?

like image 332
Pure.Krome Avatar asked May 28 '18 14:05

Pure.Krome

1 Answers

It looks like I had to add an extra parameter to say use the Machine storage.

// Byte array.
var clientCertificate = new X509Certificate2(certificateData, 
                                pfxPassword, 
                                X509KeyStorageFlags.MachineKeySet);

// File name
var clientCertificate = new X509Certificate2(pfxFileNameAndPath, 
                                pfxPassword, 
                                X509KeyStorageFlags.MachineKeySet);

This SO answer basically suggested the answer

Even though you are reading the certificate from disk and storing it in an object the private keys are still stored in the Microsoft Cryptographic API Cryptographic Service Provider key database. On the hosting server the ASP.NET process does not have permission to access the user store.

Boom! That said, I still don't understand why it's trying to access some store considering I am giving the password and file.

/me shrug

like image 83
Pure.Krome Avatar answered Oct 20 '22 10:10

Pure.Krome
Sign in to Comment

Related questions

In Azure, how to allow non-subscription admins to create new resources
Calling Microsoft Graph API from inside Azure Functions
What does this Azure Search indexing error mean? "The property 'x' does not exist on type 'search.documentFields'..."
Azure Functions - Table Storage Trigger with Azure Functions
Azure Function used to write to queue - can I set metadata?
Azure function App settings is null after deployment
Persisting content across docker restart within an Azure Web App
How to mount azure datadisk in virtual machine
Track System.Diagnostics.Trace logs in Azure portal
Azure Keyvault add Function MSI via ARM
How can I manage robots.txt in Azure app service with a staging slot
Difference between Web API and Azure API APP in Visual Studio
Single Azure function multiple timer trigger
Azure AD B2C vulnerable to Open Redirect?
SQLInjection against CosmosDB in an Azure function
Azure function: Could not load file or assembly Microsoft.IdentityModel.Tokens, Version=5.2.1.0
Azure service bus - message going straight to dead letter queue
Disabling Ocp-Apim-Trace in the Azure API Management Services
Is there a limit on the amout of Azure Blob Storage SAS keys generated per hour?
How to set OpenIdConnect option prompt ="login" from Controller in .net core 2 application?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!