Azure Key Valut and Expiring Certificate

Question

I hope I can explain this correctly. I inherited a couple of windows applications that need a certificate installed to the local cert store in order to access an Azure Key Vault's Secret to do what the applications do. Currently everything is working correctly. The cert in Azure is set to expire on 10/31/2019.

A new certificate has been created with an expiration in September of 2020.

When I had these applications dumped on me I was give the cert to use but it has a .p12 extension. I can only export the new Azure certificate as .cer or .pfx.

When I install the newly exported cert as either .pfx or .cer the applications fail. If I install the old cert with .p12 extension they work.

Both apps use the code below to get (I think) the local cert that is current via the "Issuer" which is CN = Value. I've checked both the old and new values of "Issuer/CN =" and they are identical.

Does the cert exported in Azure need to have a .p12 extension? If so how do I do that.

If the cert in Azure exported is okay as a .pfx where might my problem(s) be?

C# code in apps that get local cert to in turn gets the necessary Azure secret to do the work:

private static X509Certificate2 ReadCertificateFromStore(string certName)
    {
        X509Certificate2 cert = null;

        try
        {
            using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
            {
                store.Open(OpenFlags.ReadOnly);
                X509Certificate2Collection certCollection = store.Certificates;

                // Find unexpired certificates.
                X509Certificate2Collection currentCerts = certCollection.Find(X509FindType.FindByTimeValid, DateTime.Now, false);

                // From the collection of unexpired certificates, find the ones with the correct name.
                X509Certificate2Collection signingCert = currentCerts.Find(X509FindType.FindBySubjectDistinguishedName, certName, false);

                // Return the first certificate in the collection, has the right name and is current.
                cert = signingCert.OfType<X509Certificate2>().OrderByDescending(c => c.NotBefore).FirstOrDefault();
            }
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
        }

        return cert;
    }

Answer 1

First .p12 as well as .pfx are extension for the PKCS#12 format.

Both apps use the code below to get (I think) the local cert that is current via the "Issuer" which is CN = Value. I've checked both the old and new values of "Issuer/CN =" and they are identical.

Based on your code that is not true

// From the collection of unexpired certificates, find the ones with the correct name.
X509Certificate2Collection signingCert =
   currentCerts.Find(X509FindType.FindBySubjectDistinguishedName, certName, false);

It says FindBySubjectDistinguishedName which means that the subject of both certificates need to be exactly the same. Here is an example:

And another one with multiple elements in the subject:

You could also install both certificates and play around to figure the parameters to get the right certificate. I converted parts of your code to PowerShell:

$store = 
  new-object System.Security.Cryptography.X509Certificates.X509Store( `
    [System.Security.Cryptography.X509Certificates.StoreName]::My, `
    [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser);

$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly);

$signingCert = 
   $store.Certificates.Find(
     [System.Security.Cryptography.X509Certificates.X509FindType]::FindBySubjectDistinguishedName, 
     "CN=...", `
     $false);

$signingCert

Answer 2

Mystery solved. In addition to installing the certificate on the machines in question you also need to register the cert (.cer portion) in Azure's App Registrations.