Service Fabric: Authenticating with Azure KeyVault via cert: "KeySet does not exist"

Question

This is the scenario I am trying to enable:

I wish to authenticate to an azure keyvault from my web service application (azure service fabric) via a client certificate.

These are the steps I'm following:

1. Add a certificate to my keyvault in azure (self signed)
2. Download certificate via azure powershell (pfx)
3. Create Azure App Instance to identify my app
4. Associate certificate with app
5. Create service principal for the azure app
6. Give principal access to keyvault

All looks good. When I spin up my service (local service fabric cluster), and try to connect to keyvault to retrieve a secret key+value that I have stored inside, I get error:

CryptographicException: "KeySet does not exist"

When I try to examine PrivateKey property value of the X509Certificate2 object at runtime, it throws the same exception.

The certificate is found, and the private key exists (I verified this via MMC as well as some command line tools).

What can I be missing? Only cause I can think of for this failure is that service fabric user context (Network Service, I think) does not have permission to look at private key? It is stored in "LocalMachine" certificate store, under Personal" folder (also referred to as "My"). From what I know, applications should be able to read from LocalMachine store without special permissions?

Answer 1

An alternative easier way to grant NETWORK SERVICE user permission on certificate private key (easier than my other answer):

1. Open certificate snap-in in MMC: WIN + R -> type mmc -> File -> Add/Remove Snap-in -> Add Certificates (Computer Account).
2. Find your certificate -> Right click and choose All Tasks/Manage Private Keys
3. Grant Read Permission for NETWORK SERVICE user