Reputation: 3025
Azure Cloud Service unable to find Certificate from local machine
Our APIs are exposed through Azure Cloud Services (Web Role). We use certificate uploaded to Cloud Service for encryption of data stored in backend. During certificate rotation, We uploaded new certificate by updating *.CSCFG file
Our CSCFG
<Certificate name="encryptcertificatethumbprint" thumbprint="NewThumbprint" thumbprintAlgorithm="sha1" />
When we login into Portal > Cloud Service > Certificates Tab. We could see both Old Certificate and New certificate.
Unfortunately some of the records in backend system are not re-encrypted with new rotated certificate. When our App reads data from backend system, it fails to decrypt with message "The secret could not be decrypted. Check that certificate with serial number 'XXXXX-XXX' is installed. The inner cryptographic exception: 'Keyset does not exist" since old certificate is not present in webrole instance.
Instead of doing another deployment with both certificates, we remote into web role instance and installed old certificate under Personal > Certificate
After installing old certificate, Application still unable to find certificate by thumbprint in Local Machine certificate store. We tried restarting webrole, still application unable to pick certificate.
Few Questions, can anyone help (without any deployment to address this issue)
- What will be certificate location on webrole instance, where we can upload certificate. Our logic of certificate search based on Serial number in LocalMachine and then also Current User. Though we uploaded certificate in LocalMachine, Still webrole unable to pickup certificate
- What will be Current User certificate store i.e. what will be account on which webrole runs
- If the certificate gets expired, will certificate be returned ?
Upvotes: 0
Views: 724
Answers (2)
Reputation: 3025
Issue got resolved. After giving permission to "Network Service".
Right Click on Certificate > All Task > Manage Private Key > Add Network Service Account to get access to certificate.
Upvotes: 0
Reputation: 10998
I haven't tried to accomplish your specific goal, but this information may help get you closer.
The Azure guest agent installs certificates as the system account in the CurrentUser store, so any interactions you want to do with those certs will need to be as the system account. To do this you can download Sysinternals Suite and run psexec to launch a cmd prompt under System context. Then in that new cmd prompt you can run certutil, mmc.exe, etc:
psexec -i -d -s cmd
certutil -store -user My
You should be aware that whatever you do (ie. installing a new certificate) will be temporary.
- See https://learn.microsoft.com/en-us/archive/blogs/kwill/windows-azure-disk-partition-preservation for information about when the Windows partition (D drive) will be rebuilt, meaning you will lose your manually installed certificates.
- Unexpected role recycles (ie. WaHostBootstrapper exits or WaIISHost/WaWorkerHost crashes) will cause the guest agent to uninstall and then reinstall all certificates.
Upvotes: 0
Related Questions
- Service Fabric Local Cluster fails to get certificate(s) private key(s)
- Local Cluster SSL Certificate invalid trust
- Certificate not found on Azure Web App (Loaded on some instance but not others)
- Install a certificate for a local cluster
- Get x509 Certificate In Azure Cloud Service
- Certificate not found on Azure Web App
- Azure Cloud Service deployment - Azure can't validate SSL certificate
- Azure: not able to browse to the URL
- Exception occurred while fetching Azure certificate
- Windows Azure Management Certificate not found in WebService