Menu
For years I was able to upload new pfx files for SSL binding on Azure App Services using the OpenSSL creation method in this Stack Overflow answer:
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt
However, doing the same now provides this error:
At least one certificate is not valid (Certificate failed validation because it could not be loaded.)
What ways can this issue be resolved?
559
App Service private certificates must meet the following requirements:
OpenSSL 3+ no longer uses DES encryption as a default. The original command needs the -legacy and -provider-path (path to legacy.dll) arguments appended:
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt -legacy -provider-path 'C:\Program Files\OpenSSL-Win64\bin'
If for some reason your OpenSSL installation does not contain the legacy provider:
Open PowerShell and run this command, replacing -FilePath with the path to your non-working pfx file, and the password -String argument with its respective password:
Import-PfxCertificate -FilePath "pfx file path" -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString -String 'MyPassword' -AsPlainText -Force) -Exportable
A successful output will look like:
Use this thumbprint to export the cert to a new pfx file, replacing the -Cert, -FilePath, and password -String arguments:
Export-PfxCertificate -Cert Microsoft.PowerShell.Security\Certificate::LocalMachine\My\B56CE9B122FB04E29A974A4D0DB3F6EAC2D150C0 -FilePath 'newPfxName.pfx' -Password (ConvertTo-SecureString -String 'MyPassword' -AsPlainText -Force)
Azure should now be able to validate the new pfx file output.
125
For me, the issue was simply solved by changing the password. My previous password had special characters, which then i changed to only alphabetic letters.
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
