Accessing uploaded certificates in azure web sites

26
votes

When I was using the web role I was just uploading the certificate in azure portal and I was able to see it .Now I have switched to the website in azure and I uploaded the certificate in the azure management portal but my code does not see it at all.

Is there some configurations we need to do or some other way to access uploaded certs in azure web sites.

This is how I am trying to access the uploaded cert .

private List<string> GetAvailableCertificatesFromStore()
{
    var list = new List<string>();
    var store = new X509Store(StoreName.My,StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadOnly);

    try
    {
        foreach (var cert in store.Certificates)
        {
            // todo: add friendly name
            list.Add(string.Format("{0}", cert.Subject));
        }
    }
    finally
    {
        store.Close();
    }

    return list;
}
2
c#azuressl-certificatex509certificateazure-web-app-service

2 Answers

11
votes

UPDATE - July 23 2015: This answer is now obsolete (It was correct at the time it was provided though). Please see S Armstrong's answer below.

Things work differently in Azure Cloud Services (Web/Worker Roles) and Azure Websites. In Azure Cloud Services when you upload a certificate through management portal and specify that certificate's thumbprint and install location in your role's properties, when your role is deployed in a VM the fabric controller responsible for it also installs these certificates automatically for you. This is the reason the code above works in a web role.

In website, you would need to do this on your own. Unfortunately because of security restrictions in an Azure website, you just can't install a certificate in certificate store. To work with certificates, you would need to include the certificate's PFX file along with your code and work with that certificate file. You can't install the certificate in certificate store.

In whatever little work I have done with Azure Website and Certificates, I have found that the certificate only works if the PFX file is included in AppData folder. Also you may run into errors like CryptographicException: The system cannot find the file specified. If you run into this error, you may find this blog post useful: http://blog.tylerdoerksen.com/2013/08/23/pfx-certificate-files-and-windows-azure-websites/

81
votes

Using certificates in an Azure WebSite works differently to how it does in a local copy of IIS or even when running a web site in debug mode from Visual Studio. In short, the website does not have access to a certificate store in the traditional sense of the term ... it is all done in memory.

Firstly, once you have uploaded your certificate through the Azure portal you need to add an appsetting (also through the portal) called WEBSITE_LOAD_CERTIFICATES and set the value for this to the thumbprint of your uploaded certificate. This can be a comma separated list of multiple thumbprints if you want, or even * to load all your uploaded certificates. I'm presuming this forces the certificates to be loaded in to memory.

To then load your certificate, you can do the following:

var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);

var certs = store.Certificates.Find(X509FindType.FindByThumbprint, YOUR_THUMBPRINT, false);

Change the 'false' to 'true' if you want to ensure the certificate is valid.

I found this information here, which explains it much better than I have: http://azure.microsoft.com/blog/2014/10/27/using-certificates-in-azure-websites-applications/