28

When I was using the web role I was just uploading the certificate in azure portal and I was able to see it .Now I have switched to the website in azure and I uploaded the certificate in the azure management portal but my code does not see it at all.

Is there some configurations we need to do or some other way to access uploaded certs in azure web sites.

This is how I am trying to access the uploaded cert .

private List<string> GetAvailableCertificatesFromStore()
{
    var list = new List<string>();
    var store = new X509Store(StoreName.My,StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadOnly);

    try
    {
        foreach (var cert in store.Certificates)
        {
            // todo: add friendly name
            list.Add(string.Format("{0}", cert.Subject));
        }
    }
    finally
    {
        store.Close();
    }

    return list;
}
abatishchev
  • 98,240
  • 88
  • 296
  • 433
sp9
  • 755
  • 3
  • 11
  • 22

2 Answers2

82

Using certificates in an Azure WebSite works differently to how it does in a local copy of IIS or even when running a web site in debug mode from Visual Studio. In short, the website does not have access to a certificate store in the traditional sense of the term ... it is all done in memory.

Firstly, once you have uploaded your certificate through the Azure portal you need to add an appsetting (also through the portal) called WEBSITE_LOAD_CERTIFICATES and set the value for this to the thumbprint of your uploaded certificate. This can be a comma separated list of multiple thumbprints if you want, or even * to load all your uploaded certificates. I'm presuming this forces the certificates to be loaded in to memory.

To then load your certificate, you can do the following:

var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);

var certs = store.Certificates.Find(X509FindType.FindByThumbprint, YOUR_THUMBPRINT, false);

Change the 'false' to 'true' if you want to ensure the certificate is valid.

I found this information here, which explains it much better than I have: http://azure.microsoft.com/blog/2014/10/27/using-certificates-in-azure-websites-applications/

watashiSHUN
  • 9,684
  • 4
  • 36
  • 44
S.Armstrong
  • 821
  • 1
  • 6
  • 2
  • 1
    Damn. Spent like 3 hours. My parameter name was different (not WEBSITE_LOAD_CERTIFICATES). Thanks – Ilya Schukin Nov 30 '15 at 21:17
  • 3
    After spending days, I found out the problem is StoreLocation.CurrentUser not StoreLocation.LocalMachine ! – omeralper Jun 25 '16 at 14:52
  • 2
    I am not able to read the private key using the above code, can anyone help regarding this. I am trying to read the private key to use in decryption of data. I even tried the `cert.PrivateKey.ToXmlString(true)` – Saravanan Apr 28 '17 at 05:15
  • 4
    FYI, if you are using a list of thumbprints but things are still not working you should check your strings for invisible characters. I just discovered that one of my listed thumbprints had an 0x200E char in it. The server error was infuriating becasue everything looked correct. The problem was literally invisible! If you store some of those app settings in the web.config you can discover the existence of invisible characters on the server in the Kudu console for that web app. The invisible character is displayed as a very tiny, grey dot. – Taul Jan 26 '18 at 23:28
  • 4
    Oddly enough, _WEBSITE_LOAD_CERTIFICATES_ has to be added via the _Application settings_ in the portal (does not work if you add it in your Web.config) – Thibault D. Aug 01 '18 at 07:28
11

UPDATE - July 23 2015: This answer is now obsolete (It was correct at the time it was provided though). Please see S Armstrong's answer below.

Things work differently in Azure Cloud Services (Web/Worker Roles) and Azure Websites. In Azure Cloud Services when you upload a certificate through management portal and specify that certificate's thumbprint and install location in your role's properties, when your role is deployed in a VM the fabric controller responsible for it also installs these certificates automatically for you. This is the reason the code above works in a web role.

In website, you would need to do this on your own. Unfortunately because of security restrictions in an Azure website, you just can't install a certificate in certificate store. To work with certificates, you would need to include the certificate's PFX file along with your code and work with that certificate file. You can't install the certificate in certificate store.

In whatever little work I have done with Azure Website and Certificates, I have found that the certificate only works if the PFX file is included in AppData folder. Also you may run into errors like CryptographicException: The system cannot find the file specified. If you run into this error, you may find this blog post useful: http://blog.tylerdoerksen.com/2013/08/23/pfx-certificate-files-and-windows-azure-websites/

Gaurav Mantri
  • 128,066
  • 12
  • 206
  • 241
  • As far as I can tell you are 100% correct. The certs uploaded through the portal are not even installed into a store. They appear to be loaded into memory through some other means during IIS startup. – Adrian Hope-Bailie Jul 29 '14 at 21:25
  • 3
    This answer is out of date. Please see S.Armstrong's answer below – Zain Rizvi Jul 22 '15 at 20:15