Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

An Azure App Service cannot load a pfx certificate from the wwwroot filesystem

I have a simple ASPNET-Core 2 web app on Azure App Services. When I try and load the pfx file, I get the following error:

WindowsCryptographicException: The system cannot find the file specified Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)

I'm trying to load a pfx file, which exists in the wwwroot folder.

Problematically, I have proven that the pfx file exists.

I then have tried to load the X509 cert via these two ways:

clientCertificate = new X509Certificate2(certificateByteArrayData, pfxPassword);

and

clientCertificate = new X509Certificate2(filePath, pfxPassword);

if I have a bad password, I get a correct-bad-password exception.

But with a (what I believe to be is) legit path + password or loaded bytes + password, I get that error, above.

It's like the certificate is trying to do some weird admin-type-thingy on the server and doesn't have permission? Which I don't understand because I have the cert there and I just want to use it?

I know there's other ways to do this with Loading SSL Certs or using Azure Vault or other people have found similar problems but are related to 'user stores' etc, while here I thought this has nothing to do with it?

like image 332
Pure.Krome Avatar asked May 28 '18 14:05

Pure.Krome


1 Answers

It looks like I had to add an extra parameter to say use the Machine storage.

// Byte array.
var clientCertificate = new X509Certificate2(certificateData, 
                                pfxPassword, 
                                X509KeyStorageFlags.MachineKeySet);

// File name
var clientCertificate = new X509Certificate2(pfxFileNameAndPath, 
                                pfxPassword, 
                                X509KeyStorageFlags.MachineKeySet);

This SO answer basically suggested the answer

Even though you are reading the certificate from disk and storing it in an object the private keys are still stored in the Microsoft Cryptographic API Cryptographic Service Provider key database. On the hosting server the ASP.NET process does not have permission to access the user store.

Boom! That said, I still don't understand why it's trying to access some store considering I am giving the password and file.

/me shrug

like image 83
Pure.Krome Avatar answered Oct 20 '22 10:10

Pure.Krome