Unable to load certificate instance from within Azure Worker Role

4
votes

I have an Azure Worker Role that I wish to call the Management Service (e.g. REST API) and collect information regarding related services. However, when I try to load my certificate it fails to find it. Here are the steps I followed:

1. I created a certificate using MakeCert and registered it as my Management Certificate via the portal

makecert -r -pe -a sha1 -n "CN=MyCnName" -ss My -len 2048 -sp "Microsoft Enhanced RSA and AES Cryptographic Provider" -sy 24 MyCert.cer

2. Installed the cert on my local machine and everything works fine. When running the Worker Role locally I can call the Management Service with no problems.

3. Exported the cert from my machine and registered the exported certificate under the target Hosted Service via the portal

4. Deployed the Role. When the Role starts it fails to find the cert.

Here is an extract of the code I'm using to find the cert.

// Open the certificate store for the current user.
var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); // I also tried localmachine
certStore.Open(OpenFlags.ReadOnly);

// Find the certificate with the specified subject.
X509Certificate2Collection certCollection = certStore.Certificates.Find(
    X509FindType.FindBySubjectName,
    _myConfiguration.SubjectName,
    false);


if (certCollection == null || certCollection.Count < 1)
{
    // Find the certificate with the specified thumbprint.
    certCollection = certStore.Certificates.Find(
        X509FindType.FindByThumbprint,
        _myConfiguration.ThumbPrint,
        false);
}

// Close the certificate store.
certStore.Close();

// Check to see if a matching certificate was found.
if (certCollection.Count == 0)
{
    _logger.Warn("No certificate found");
}

There is no exception, just no cert is found. Can anyone shed some light I what I need to do?

2
azureazure-worker-roles

2 Answers

8
votes

Figured out the problem... In addition to configuring the cert in the portal, I needed to add the certificate details (e.g. Name, Store, and Thumbprint) to the Azure Project Role settings under the Certificates Tab.

0
votes

I have a similar problem for a web role, i have applied a workaround.

  1. Connect with remote desktop to the VM where the service and certificate are deployed
  2. List item
  3. Copy your cert or pfx on your VM local disk (e.g C:)
  4. Click on your pfx or .cert file and install it on the specific certificate store "Trusted People")
  5. Run your service, even if you are configured for search on a different store you will find on trusted people

I don't know why my web role try to find the cert on this location if I am forcing to search on "My Store" location but the search method retrieve info from trusted people store.

The problem with this workaround is when you delete your deployment the cert and any other configuration will be wiped.

This piece of code could give you some information:

//the certificate must be in the Trusted People Store
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
try
{
    store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
   //Commented
   //Get the first available match from cert store
   //X509Certificate2 cert = store.Certificates.Find(X509FindType.FindBySubjectName,
                 // subjectname,
                 // false)
                 // .Cast<X509Certificate2>()
                 // .FirstOrDefault();

   X509Certificate2 cert = new X509Certificate2();
   foreach (var ct in store.Certificates)
   {
       //Logger.TraceInformation(string.Format("Cert found: Subject {0} Tumbprt:{1}", ct.FriendlyName, ct.Thumbprint));
       if (ct.SubjectName.Name.ToString().Contains("*.certnamexx.extensionxx"))
       {
           return new X509SecurityToken(ct);
       }

    }
}