Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Client certificate authentication and CA certificate in Azure

I need to authenticate requests to Azure Cloud Service Web Role using client certificates. How to put the Certification Authority (CA) root certificate in a right trusted store?

I tried to upload it in Management Portal and then defining it in service definition file with AuthRoot store name:

<Certificate name="RootCA" storeLocation="LocalMachine" storeName="AuthRoot" />

What's really strange is that it works... but only sometimes. It may work after an instance reboot, but may not work after a service update or another instance reboot. It seems like a bug in Azure.

When I say "works" I mean server successfully accepts the client certificate and processes the request. When I say "doesn't work" I mean server doesn't negotiate a connection after certificate checks and "The request was aborted: Could not create SSL/TLS secure channel." exception is thrown on a client side.

How to make it working stable?

UPD:

Found this record in System Windows Event Log (source is Schannel):

When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

like image 793
alexey Avatar asked Feb 11 '13 12:02

alexey


1 Answers

The exact problem is described here: http://support.microsoft.com/kb/2801679.

After December 2012 Windows update a lot of certificates were added to AuthRoot store. So we have to remove them to solve the problem.

To make it I use PowerShell startup task:

Get-ChildItem -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates | Where-Object {$_.Name -notlike "*\<YOUR_CERTIFICATE_THUMBPRINT>"} | Remove-Item

To run it from CMD startup task:

PowerShell -ExecutionPolicy Unrestricted .\Startup.ps1
exit /b %errorlevel%    

And in ServiceDefinition.csdef:

<WebRole name="Web">
  <Startup>
    <Task commandLine="Startup.cmd" executionContext="elevated" taskType="simple" />
  </Startup>
  <!-- ... ->
</WebRole>
like image 94
alexey Avatar answered Oct 02 '22 00:10

alexey