Error when using X509KeyStorageFlags.EphemeralKeySet in Azure App Service Web Job

Question

I'm trying to instantiate a X509Certificate2 object in a Web Job, in an Azure App Service. The certificate is a PFX file.

When I try to instantiate like this, it fails to use the object in a WS call:

new X509Certificate2(byteArray, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.EphemeralKeySet)

By failing, I mean it starts throwing: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.

But when I try like this, the WS works correctly:

new X509Certificate2(byteArray, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.UserKeySet)

The only difference is the user of X509KeyStorageFlags.EphemeralKeySet. The app is running on .Net Framework 4.7.2. Does anybody know why this happens?

A little explanation: we've had a issue with disk space in the App Service and we've read in some articles and in some SO questions/answers that this could have been caused by the fact that Windows writes to disk all certificates read, thus consuming a lot of space.

One example is this question.

Answer 1

SslStream, on Windows, can't work with EphemeralKeySet keys. The underlying reason is that Windows doesn't do TLS in-proc, but does all of the crypto operations in a different process. Their current functionality doesn't try to export/transport ephemeral keys to that other process, so it fails on the other side with "I can't find the private key".