Unable to load a certificate in Azure Function

Question

I am developping an Azure Function which needs to load a certificate from a secured Base 64 string. The certificate is protected by a key. The certificate and the password are stored in an Azure Key Vault.

When I try to load the certificate from the Function, I get errors in both v1 and v2 Functions.

Here is the code used to load the certificate :

var certificate = new X509Certificate2(Convert.FromBase64String(certificateBase64), certificatePassword)

With this code for .Net I have a strange issue I can reproduce locally. The issue is linked to .Net 4.6.1. In .Net Core 2.0, it works fine locally (in Azure Function CLI), but I got a strange issue regarding a file not found (https://github.com/dotnet/corefx/issues/11042)

As mentionned at the end the previous post, I tried to the X509KeyStorageFlags.EphemeralKeySet flag.

var certificate = new X509Certificate2(Convert.FromBase64String(certificateBase64), certificatePassword, X509KeyStorageFlags.EphemeralKeySet)

The flag is not yet available for .Net Core 2 (https://github.com/dotnet/corefx/issues/24454), and not also in .Net 4.6.1, the framework used by Azure Functions.

Is there a way to force the Net Framework used by an Azure Function v1 ? Is there any simple workaround in .Net Core 2.0, wihtout storing the certificate as a file on the Function ?

Answer 1

After many tries, I found a solution. The flag X509KeyStorageFlags.MachineKeySet must be used. It worked for both Function App V1 (.Net 4.6.1) and Function App V2 (.Net Core 2) :

var certificate = new X509Certificate2(Convert.FromBase64String(certificateBase64), certificatePassword, X509KeyStorageFlags.MachineKeySet)