CODEWITHSUNDEEP
.net-coreazure-active-directoryssl-certificateazure-web-app-serviceazure-keyvault
roonz11
roonz11

Reputation: 855

Cannot find Certificate - Azure .NET Core App

When I run my webapp from Azure, I'm getting an exception saying that it cannot find my certificate.

  1. I have configured KeyVault to store my secrets and I've uploaded my private key certificate to my TLS/SSL settings.
  2. In Azure Active Directory I'v registered my app which has the same Thumbprint as my private key certificate.
  3. In my web app's configuration, I've added "WEBSITE_LOAD_CERTIFICATES" = "*", and "KeyVault:Vault"="meiwebapivault"
  4. Then in code, my Program.cs handles finding the certificate. However this is where it fails.

Any idea what steps I'm missing or why this is failing?

I followed this tutorial.

KeyVault - Secrets

Azure Active Directory - App Registration

Uploaded certificate

webApp TSL/SSL Settings - private certificate

Configuration - App Settings

public class Program
    {
        public static void Main(string[] args)
        {
            CreateHostBuilder(args).Build().Run();
        }

        public static IHostBuilder CreateHostBuilder(string[] args) =>
            Host.CreateDefaultBuilder(args)
                .ConfigureAppConfiguration(builder =>
                {
                    var root = builder.Build();
                    var vaultName = root["KeyVault:Vault"];
                    if (!string.IsNullOrEmpty(vaultName))
                    {
                        builder.AddAzureKeyVault($"https://{vaultName}.vault.azure.net/",
                            root["KeyVault:ClientId"],
                            GetCertificate(root["KeyVault:Thumbprint"]),
                            new PrefixKeyVaultSecretManager("WebApi"));
                    }
                })
                .ConfigureWebHostDefaults(webBuilder =>
                {
                    webBuilder.UseStartup<Startup>();
                });

        private static X509Certificate2 GetCertificate(string thumbprint)
        {
            var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
            try
            {
                store.Open(OpenFlags.ReadOnly);
                var certificateCollection = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, true);

                if (certificateCollection.Count == 0)
                    throw new Exception("Certificate is not installed"); //<------------- FAILS HERE

                return certificateCollection[0];
            }
            finally
            {
                store.Close();
            }
        }
    }

{
  "KeyVault": {
    "Vault": "",
    "ClientId": "6ac#####-####-####-####-######ffe96",
    "Thumbprint": "4EC2C##############################4507C"
  },

public class PrefixKeyVaultSecretManager : IKeyVaultSecretManager
    {
        private readonly string _prefix;

        public PrefixKeyVaultSecretManager(string prefix)
        {
            _prefix = $"{prefix}-";
        }
        public string GetKey(SecretBundle secret)
        {
            return secret.SecretIdentifier.Name.Substring(_prefix.Length)
                .Replace("--", ConfigurationPath.KeyDelimiter);
        }

        public bool Load(SecretItem secret)
        {
            return secret.Identifier.Name.StartsWith(_prefix);
        }
    }

Upvotes: 1

Views: 904

Answers (1)

roonz11
roonz11

Reputation: 855

My setup was correct. I just needed to change this one line from 

var certificateCollection = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, true);

to

var certificateCollection = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);

Upvotes: 1

Related Questions