3
votes

I have an Azure based .NET web app that we are trying to connect to a client's local ADFS environment. We are able to get access to the resource via the Azure Hybrid Connection, but when we try to get an authentication header from ADFS we get a certificate error.

After doing some digging, we found they are not using a certificate from a trusted root CA and instead are using a self-signed certificate. The client has sent us their root CA (along with intermediates) certificate and is asking us to have our Azure application trust these.

1) Is this possible?

2) Are there any security risks from doing so?

I found this document about adding certificates to your app service but I don't think this will 'trust' any certificates signed by their root CA certificate and instead is trusting just that certificate by itself. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-ssl-cert-load

I also found this question, which is from 2015 and was curious if this answer had changed since then. How can I trust an Active Directory Root CA Certificate in an Azure Web Application?

And the actual error we get when try to connect to their ADFS currently:

System.Net Information: 0 : [13800] SecureChannel#55196503 - Remote certificate has errors:

System.Net Information: 0 : [13800] SecureChannel#55196503 - A certificate chain could not be built to a trusted root authority.

System.Net Information: 0 : [13800] SecureChannel#55196503 - Remote certificate was verified as invalid by the user.

System.Net Error: 0 : [13800] Exception in HttpWebRequest#44115416:: - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel..

1

1 Answers

4
votes

No, it still is not possible to use a self-signed certificate. Due to the security risks, the requirements have not changed.

Referenced from MS docs, here are the requirements for your SSL certificate:

To use a certificate in App Service, the certificate must meet all the following requirements:

  • Signed by a trusted certificate authority
  • Exported as a password-protected PFX file
  • Contains privatekey at least 2048 bits long
  • Contains all intermediate certificates in the certificate chain

See more from this June 2018 guide