2

I have some difficulties in managing Azure certificates from my code. Indeed I'm trying to use Azure REST Services API (e.g. creating HTTP requests) in order to know my services state from my Azure web site.

It works well in local debugging, but my web role seams to have some limitation with the certificates manager. Bellow is what I do:

// this method stores a certificate from the resources
// to the local certificates manager
private X509Certificate2 StoreCertificate(Certificates certName)
{
    X509Certificate2 newCert = null;

    // get certificate from resources
    newCert = this.GetCertificateFromResources(certName);

    // store it into the local certificate manager
    if (newCert != null)
    {
        var store = new X509Store(
               StoreName.TrustedPeople,
               StoreLocation.LocalMachine
            );

        store.Open(OpenFlags.ReadWrite);
        store.Add(newCert);
    }

    // reset ref and try to load it from manager
    newCert = null;

    newCert = this.GetCertificate(certName);

    return newCert;
}

An Access is denied error appends when I try to add the certificate.

Any idea ? Can I store certificates into the Azure VM ? Should I use a special location to store those ?

Olivier Passalacqua
  • 41
  • 2

3 Answers3

1

Are you using a Cloud Service (web/worker role)? If so, which OS family? I've seen some reports that with a worker role using OS family 3, you need to run the role with elevated permissions in order to read certs from the local cert store. Not sure if that applies to web roles as well and adding to the cert store.

Has the service cert been added via the Azure management portal as well (or via the REST API or PowerShell)?

mcollier
  • 3,721
  • 15
  • 12
  • The point about _"elevated permissions"_ was what I needed - thanks. You mention that you have seen some reports on the elevated permissions being needed - do you have any references to that? – Lasse Christiansen Jun 07 '14 at 16:49
1

Well I have found lot of things:

  1. I was deploying my code in a web site so that I cannot add a certificate to the Shared VM in Azure
  2. I have tried to connect to the VM in a remote desktop session and I added a certificate manually.

Even in this case, I have an (403) Forbidden error in an InvalidOperationException.

So here is the current state:

  • a certificate has been created (makecert) and added manually in the VM that hosts my web role (deployed in a service)
  • this certificate has been uploaded to both the Azure Account certificates and to the Azure service certificates (the one that deploys my web role)
  • the thumbprint of this certificate has been added in my code and I can access to the certificate when my code is executed

So 2 questions:

  1. Is there something I should do with my certificate ?
  2. When I try my web role locally in the Azure emulator, everything works. Is there a special setting to update during the publish / deploy step ?

Thanks for your help.

Olivier Passalacqua
  • 41
  • 2
1

In order to save the time of other developers, here is what I did to solve the main problem:

  1. connect to the VM that deploys the web role: see there
  2. create the certificate: see there
  3. Eventually plays with the certificates manager (mmc.exe)

Then the certificate is available from the code.

Olivier Passalacqua
  • 41
  • 2
  • Thank you. I had this exact same problem and had been struggling with it for quite some time until I found this post. – Doug Jul 29 '13 at 21:30