7

I have installed a .pfx to my Azure website using the management portal upload certificate.

I am now trying to access them using the code below:

X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
certificateStore.Open(OpenFlags.ReadOnly);
var certificates = certificateStore.Certificates;

StringBuilder sb = new StringBuilder();

foreach (var certificate in certificates)
{
   sb.AppendLine(certificate.Subject);                
}

When published to Azure, a bunch of certificates are listed but not the one that one that I have uploaded.

The certificates listed are here:

CN=WW.azurewebsites.windows.net, OU=CIS(RD), O=Microsoft
CN=FullOSTransport
CN=client.geo.to.stamp.azurewebsites.windows.net
CN=ma.waws-prod-am2-005.azurewebsites.windows.net, OU=OrganizationName, O=Microsoft,     
L=Redmond, S=WA, C=US
CN=FullOSTransport
CN=FullOSTransport

I purchased the certificate from Verisign and it appears to be uploaded correctly and does appear in the 'HTTPS' bar in the browser (in Chrome).

Any help would be really appreciated as I'm at a loss here.

Update

It looks like we would need to convert to a Cloud Service for the above code to work. But can I add the certificates to my app_data folder as suggested here?

http://blog.tylerdoerksen.ca/2015/11/29/pfx-certificate-files-and-azure-web-apps/

This seems to work for Azure-Websites without the use of web roles.

Thanks

Tyler
  • 387
  • 2
  • 7
davy
  • 4,474
  • 10
  • 48
  • 71
  • For Cloud Services (as a Web Role for example) you need to add the thumbprint of the certificate you want to access in your configuration file, in addition to the steps you are taking. My understanding of SSL certificates for Azure Websites is that it's only for encrypting HTTP traffic, so depending on what you are trying to do, you may need to go with Azure Cloud Services. Also, just in case, did you try other store locations? – Herve Roggero Jun 08 '14 at 15:26
  • Thanks. I need to sign some data that is being sent to a third party .asmx web service. Is this allowed with Azure Websites? If so, you are saying I need this thumbprint in my web.config? Would you know where I can find an example of this? – davy Jun 08 '14 at 15:36
  • Does it make any difference if you change the StoreLocation to My? – RichBower Jun 08 '14 at 17:17
  • no, tried a few different combinations. – davy Jun 08 '14 at 17:37
  • 1
    Actually, you need to create a new project of type Web Role. It's more than a standard website; it has its own configuration file in which you can specify the thumprints that it recognizes. Here is an introduction to this type of project in Visual Studio; it contains a section on how to add a certificate thumbprint. Then your code would load the certificate by thumbprint. http://msdn.microsoft.com/en-us/library/hh369931.aspx – Herve Roggero Jun 08 '14 at 20:21
  • Keep in mind too that you deploy web roles in a cloud service in Azure; not a WebSite. – Herve Roggero Jun 08 '14 at 20:21
  • @davy, if you are actually talking about azure websites and not webroles you should re-tag your question. The certificates you can add to an Azure Website are only used for the (externally terminated) SSL bindings and are not available on your websites machine. – Simon Opelt Jun 08 '14 at 20:22
  • Thanks to all of you. Actually, I have no access to Azure for this project, which makes things difficult. Would you advise converting the entire website to a cloud service or could we create a cloud service that will contain the SSL configuration and my code to access the X509Store - and then have our existing website call out to that? – davy Jun 09 '14 at 08:36
  • Not sure if this is going to help you in full but I have done similar stuff but rather then from App_data, the certificate was coming from SQL Database. http://stackoverflow.com/questions/5980368/wcf-certificate-store-from-sql-server-database . – activebiz Jun 18 '14 at 10:10

2 Answers2

9

I have faced the similar issue, below is the solution that worked for me.

Solution:

once you have uploaded your certificate through the Azure portal you need to add an appsetting (also through the portal) called WEBSITE_LOAD_CERTIFICATES and set the value for this to the thumbprint of your uploaded certificate. This can be a comma separated list of multiple thumbprints if you want, or even * to load all your uploaded certificates

Then load ur certificate using the below code.

var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

store.Open(OpenFlags.ReadOnly);

var certs = store.Certificates.Find(X509FindType.FindByThumbprint, YOUR_THUMBPRINT, false);
Abhinav
  • 8,028
  • 12
  • 48
  • 89
srikanth4u2
  • 91
  • 1
  • 1
  • I've spent 2 days on this issue and for whatever reason this worked for me I am deploying my ASPNET 5 rc1 (now Core) app to Azure and it could not pick up the certs in my startup procedure. Added the appsetting and the wildcard to my deployment and it worked. – Lutando Feb 03 '16 at 09:15
  • this doesn't work for me, I cannot find whatever the reason for a week. – omeralper Jun 25 '16 at 14:23
  • I just found out that I was using StoreLocation.LocalMachine instead of CurrentUser. Now it is working. Thanks. – omeralper Jun 25 '16 at 14:53
2

I have installed a .pfx to my Azure website using the management portal upload certificate.

I recently had to go through this process for an Azure Web Site so these are the things I would try in this order to save the time.

What you can do to debug?

First, remote into the machine and find whether the certificate exists there. You can find that using mmc.exe and add certificates snap-in. See here for complete instructions.

In the case of an Azure Web Site, you have to enable the remote desktop by going into Azure Management Portal, and then create a session into the VM that has your Web Site deployed.

Deploying certificates

If certificate does not exist, you will have to deploy it. For testing, you could do it manually by going into the VMs using the remote session and importing the certificate.

In the case of Web Site, if you want it to be deployed automatically, you will have to update the service definition files for that role to make sure that the certificate will be deployed properly. Also, keep in mind that your certificate should be uploaded as a "Service Certificate" and not a "Management Certificate" if you want your roles to be able to use it. If you are using Visual studio, you could also add it to your project and that may deploy it.

Permissions

Additionally, (and especially if you had manually deployed the certificate e.g. on a VM), you will need to check that IIS has permissions to access the certificate. This page here explains deploying certificates and how to give appropriate permissions. If your certificate is included in the deployment package, then this is not necessary as Azure Deployment will take care of it.

FYI: It works locally because the certificate already exists in the store your code is looking into, and there's nothing that is going to remove the certificate (unless you do it manually) to verify that if you deployed locally again, the certificate will be deployed again (assuming that your deployment locally and on Azure cloud is exactly the same). In many cases, the local environment and Azure cloud environment can be different (unfortunately), because Azure will provision clean VMs, and everything needs to be deployed properly. On the local machines, we have a lot of "leftovers".

Omer Iqbal
  • 2,245
  • 10
  • 15
  • Sorry, I should have been clear that it is an Azure-website. I can now access the certificates and can call the service locally but not from azure.. – davy Jun 12 '14 at 16:19
  • Hi Davy, you were clear that it was an Azure-website, but what's not clear is whether it's *web role* vs a web-site on *Azure VMs*. Looks like it is a *web role*. In any case, the opinion I had provided for you to debug and deploy were based on my last experience while deploying certificates to use on Azure *web-roles*. I hope it helps you, but your experience could be different. – Omer Iqbal Jun 12 '14 at 17:19
  • @davy, sorry for the confusion. I logged into manage.windowsazure.com and figured out that Web Site is what used to be called a web role. I am still on the old terminology, so you were quite clear. I apologize. I updated my response for clarity, but since I was also deploying a Web Site, I think the way to check for certificates is the same. I wonder if this issue was resolved for you or not. – Omer Iqbal Jun 18 '14 at 03:13