Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSL Certificate not in X509Store when uploaded to Azure Website

I have installed a .pfx to my Azure website using the management portal upload certificate.

I am now trying to access them using the code below:

X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
certificateStore.Open(OpenFlags.ReadOnly);
var certificates = certificateStore.Certificates;

StringBuilder sb = new StringBuilder();

foreach (var certificate in certificates)
{
   sb.AppendLine(certificate.Subject);                
}

When published to Azure, a bunch of certificates are listed but not the one that one that I have uploaded.

The certificates listed are here:

CN=WW.azurewebsites.windows.net, OU=CIS(RD), O=Microsoft
CN=FullOSTransport
CN=client.geo.to.stamp.azurewebsites.windows.net
CN=ma.waws-prod-am2-005.azurewebsites.windows.net, OU=OrganizationName, O=Microsoft,     
L=Redmond, S=WA, C=US
CN=FullOSTransport
CN=FullOSTransport

I purchased the certificate from Verisign and it appears to be uploaded correctly and does appear in the 'HTTPS' bar in the browser (in Chrome).

Any help would be really appreciated as I'm at a loss here.

Update

It looks like we would need to convert to a Cloud Service for the above code to work. But can I add the certificates to my app_data folder as suggested here?

http://blog.tylerdoerksen.ca/2015/11/29/pfx-certificate-files-and-azure-web-apps/

This seems to work for Azure-Websites without the use of web roles.

Thanks

like image 961
davy Avatar asked Jun 08 '14 14:06

davy


People also ask

How do I add an SSL certificate to my Azure website?

In the Azure portal, from the left menu, select App Services > <app-name>. From your app's navigation menu, select TLS/SSL settings > Private Key Certificates (. pfx) > Import App Service Certificate. Select the certificate that you just purchased, and then select OK.

Where are SSL certificates stored in Azure?

These TLS/SSL certificates can be stored in Azure Key Vault, and allow secure deployments of certificates to Linux virtual machines (VMs) in Azure. In this tutorial you learn how to: Create an Azure Key Vault. Generate or upload a certificate to the Key Vault.

How do I bind SSL certificate in Azure App Service?

In the Azure portal, from the left menu, select App Services > <app-name>. From the left navigation of your app, start the TLS/SSL Binding dialog by: Selecting Custom domains > Add binding. Selecting TLS/SSL settings > Add TLS/SSL binding.


2 Answers

I have installed a .pfx to my Azure website using the management portal upload certificate.

I recently had to go through this process for an Azure Web Site so these are the things I would try in this order to save the time.

What you can do to debug?

First, remote into the machine and find whether the certificate exists there. You can find that using mmc.exe and add certificates snap-in. See here for complete instructions.

In the case of an Azure Web Site, you have to enable the remote desktop by going into Azure Management Portal, and then create a session into the VM that has your Web Site deployed.

Deploying certificates

If certificate does not exist, you will have to deploy it. For testing, you could do it manually by going into the VMs using the remote session and importing the certificate.

In the case of Web Site, if you want it to be deployed automatically, you will have to update the service definition files for that role to make sure that the certificate will be deployed properly. Also, keep in mind that your certificate should be uploaded as a "Service Certificate" and not a "Management Certificate" if you want your roles to be able to use it. If you are using Visual studio, you could also add it to your project and that may deploy it.

Permissions

Additionally, (and especially if you had manually deployed the certificate e.g. on a VM), you will need to check that IIS has permissions to access the certificate. This page here explains deploying certificates and how to give appropriate permissions. If your certificate is included in the deployment package, then this is not necessary as Azure Deployment will take care of it.

FYI: It works locally because the certificate already exists in the store your code is looking into, and there's nothing that is going to remove the certificate (unless you do it manually) to verify that if you deployed locally again, the certificate will be deployed again (assuming that your deployment locally and on Azure cloud is exactly the same). In many cases, the local environment and Azure cloud environment can be different (unfortunately), because Azure will provision clean VMs, and everything needs to be deployed properly. On the local machines, we have a lot of "leftovers".

like image 34
Omer Iqbal Avatar answered Sep 28 '22 08:09

Omer Iqbal


I have faced the similar issue, below is the solution that worked for me.

Solution:

once you have uploaded your certificate through the Azure portal you need to add an appsetting (also through the portal) called WEBSITE_LOAD_CERTIFICATES and set the value for this to the thumbprint of your uploaded certificate. This can be a comma separated list of multiple thumbprints if you want, or even * to load all your uploaded certificates

Then load ur certificate using the below code.

var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

store.Open(OpenFlags.ReadOnly);

var certs = store.Certificates.Find(X509FindType.FindByThumbprint, YOUR_THUMBPRINT, false);
like image 151
srikanth4u2 Avatar answered Sep 28 '22 10:09

srikanth4u2