CODEWITHSUNDEEP
c#azuresslsdkcertificate
Steeve
Steeve

Reputation: 67

azure sdk link certificate into new resource group

I'm migrating from ARM Template to C# Azure SDK deployment option and have a problem to translate the use of existing certificate into new resource group. I have a SSL Certificate stored into a specific Resource group and Keyvault. I have 3 environments into 3 other resource groups created with ARM template that use this certificate (webapps ssl bindings). When I go into my certificate from azure portal, I can see the private certificate is linked to my 3 resource groups

This chunk of JSON imports the ssl certificate into the new resource group

{
      "type": "Microsoft.Web/certificates",
      "name": "MyCert",
      "apiVersion": "2016-03-01",
      "location": "[variables('Location')]",
      "properties": {
        "keyVaultId": "[parameters('keyvaultId')]",
        "keyVaultSecretName": "[parameters('KeyvaultSecretName')]",
        "thumbprint": "[parameters('certThumbprint')]"
      },
      "dependsOn": [
        "[concat('Microsoft.Web/serverfarms/', variables('WebAppAppPlanName'))]"
      ],
    },

Using this chunk of json create ssl bindings through its thumbprint :

{
      "name": "[concat(variables('WebAppName'),'/',variables('subDomain'), '.domain.fr')]",
      "apiVersion": "2016-08-01",
      "type": "Microsoft.Web/sites/hostNameBindings",
      "location": "[variables('Location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Web/sites', variables('WebAppName'))]"
      ],
      "tags": {
        "displayName": "HostName"
      },
      "properties": {
        "siteName": "[variables('WebAppName')]",
        "customHostNameDnsRecordType": "CName",
        "hostNameType": "Verified",
        "sslState": "SniEnabled",
        "thumbprint": "[reference(resourceId('Microsoft.Web/certificates', 'CertName')).Thumbprint]"
      }
    },

Now I'm trying to create the same thing with Azure SDK :

 webApp = webApp.Update()
                  .DefineHostnameBinding()
                  .WithThirdPartyDomain(domain)
                  .WithSubDomain(subdomain)
                  .WithDnsRecordType(CustomHostNameDnsRecordType.CName)
                  .Attach()
                  .Apply();

            webApp = webApp.Update()
                        .WithThirdPartyHostnameBinding(domain, subdomain)
                        .DefineSslBinding()
                            .ForHostname(hostName)
                            .WithExistingCertificate(certificateThumbPrint)
                            .WithSniBasedSsl()
                            .Attach()
                        .Apply();

This code does not work because of certificateThumbprint not found into my newly created resource group. What is missing is the equivalent of the first json chunk to link my certificate to my resource group. Using azure portal and doing this manually is called "Import App Service Certificate"

How can I programmatically, with azure SDK in C#, import my existing app service certificate into my new resource group ?

Upvotes: 1

Views: 287

Answers (1)

Ansary Ans21
Ansary Ans21

Reputation: 462

When trying to import an existing certificate to an app service from a key vault, You need to add/link the key vault certificate to the resource group first.

To do this with Azure REST API

When using old Azure SDK (Microsoft.Azure.Management.WebSites), there is a class available BeginCreateOrUpdateCertificate to do this operation. But Microsoft is not recommending using it as it may get deprecated soon.

With Azure fluent SDK - there is no way we can achieve this using the default app certificate management Class. "Microsoft.Azure.Management.Fluent.Azure.AppServices.AppServiceCertificates.Define()".

However, there is a class named RestClient in "Microsoft.Azure.Management.ResourceManager.Fluent.Core" namespace that is designed to call azure APIs manually. And we can make use of WebSiteManagementClient that uses the RestClient to make rest API calls against web app resources.

var restClient = Microsoft.Azure.Management.ResourceManager.Fluent.Core.RestClient.Configure().WithEnvironment(AzureEnvironment.AzureGlobalCloud).WithCredentials(credentials).Build();
        
        
var x = new WebSiteManagementClient(restClient);
x.SubscriptionId = "your-subscription-id";
var result = x.Certificates.CreateOrUpdateAsync(resourceGroupName, "UploadTest", new CertificateInner("your certificate-location (East-US)",
                        "certificate-password (pass string.Empty if null)",                            
                        keyVaultId: "/subscriptions/your-subscription-id/resourcegroups/your-resourcegroup-id/providers/microsoft.keyvault/vaults/your-key-vault-id",
                        keyVaultSecretName: "key-vault-secretname", hostNames: new List<string>() { "hostname" })).GetAwaiter().GetResult();

This will add/link the existing certificate in the key vault to the resource group and will be available for the app service to use.

Upvotes: 0

Related Questions