Using Certificates in Azure App Services

In different kind of situations you need to use a certificate for authentication or signing. I needed on because I was setting up a Identity Server the Identity Server V3 (https://identityserver.io) to be exact.

Within this Identity Server a certificate is used for signing. For testing purposes you can download one from their GitHub repository. But if you would like to buy one or generate one you will have to do some extra work.

If you want to generate a certificate you can read my post from last week:

The certificate that’s needed can be saved within the application or a more manageable solution by saving it within Azure.

On a blog page from Microsoft I found out how you can save the certificate within Azure and use it with your application. As this is a guide made with the old portal I rewrote the guide with steps that need to be down within the new Azure portal (https://portal.azure.com).

Upload the Certificate

The first step is to upload the certificate. To accomplish this follow the following steps:

  1. Open the Azure portal: https://portal.azure.com
  2. Navigate to your created Azure App Service for example a Azure Web App.
  3. In the menu blade pick the option “SSL Certificates” under the “Settings” section.image
  4. In the SSL Certificates blade upload your certificate and supply the password.image

Adjusting the Web App Settings

When the certificate is uploaded the Web application it self needs to be instructed to load the certificate. This can be done by adding a application settings called “WEBSITE_LOAD_CERTIFICATES” and adding the thumbprint of the certificate you want to be loaded as the value. If you want to load multiple certificates you need to supply the value as a comma-separated list.

  1. Open the Azure portal: https://portal.azure.com
  2. Navigate to your created Azure App Service for example a Azure Web App.
  3. In the menu blade pick the option “Application Settings” under the “Settings” section.
  4. In the newly opened blade scroll down to the section called “App Settings” and add the settings.

image

Before publishing your application to the cloud you can also add the value to your web.config.

<add key="WEBSITE_LOAD_CERTIFICATES" value="2697505afae56f3ac23a53716d2ff3029903d542"/>

Load the certificate within your application

With the previous steps done you are able to load the certificate within the application. By simply adding the following C# method:

public X509Certificate2 GetCertificate(string thumbprint) {

    if (string.IsNullOrEmpty(thumbprint))
        throw new ArgumentNullException("thumbprint", "Argument 'thumbprint' cannot be 'null' or 'string.empty'");

    X509Certificate2 retVal = null;

    X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
    certStore.Open(OpenFlags.ReadOnly);

    X509Certificate2Collection certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);

    if (certCollection.Count > 0) {
        retVal = certCollection[0];
    }

    certStore.Close();

    return retVal;
}

This method can simply be called by supplying the thumbprint of the certificate that you for example have saved within the web.config/ app settings.

//load the thumbprint from the web.config
string thumbprint = WebConfigurationManager.AppSettings[WebConfigurationKeys.Thumbprint];
X509Certificate2 identityCertificate = GetCertificate(thumbprint);

My complete test application for Identity Server V3 with the Azure certificate implementation can be found on GitHub:

The complete solution can be hosted within a Azure Web App Instances but preferable within a Azure App Service Environment. This is because a Web App instances is a shared resource on a VM witch is not a good security practice for a Identity Server, so deploying it to a Azure App Service environment is preferable as this is not a shared environment.

Related Posts

Removing the Classis Hybrid Connections from Azure (Azure BizTalk Service) As you know the classic hybrid connections that are build upon Azure BizTalk Services are deprecated. These connection will have to be replaced by the...
Restricting access to your Azure Web Application As you may know almost everything that is deployed to Azure is publicly available. As with Azure SQL Database you do not have a firewall available for...
Configure access to a private network for a Azure App Services On-Premise connections for Azure App Services can be created by using Hybrid Connections. Hybrid connections do not need any development or re-configu...
Extensions and Tips for deploying with Azure Resource Templates Working with Azure Services in different subscriptions means that the Azure Services need to run in different subscriptions. This often occurs when we...
Part 3 – Console application to call a API with Azure Active Directory Aut... This post is the third and last in a series of three posts and will help you with the creation of identity pass-through authentication from a client a...
Part 2 – Azure API Application to query the Azure SQL Database This post is the second in a series of three posts and will help you with the creation of identity pass-through authentication from a client applicati...

2 comments

  • We’re implementing the same exact thing in Azure App Service, IdtSrv3. We’ve been having some trouble figuring out how we were going to load in the cert, then we found your blog here. We followed the steps you gave, but we are seeing the below error being thrown. Any ideas?

    System.InvalidOperationException: IDX10614: AsymmetricSecurityKey.GetSignatureFormater( ‘http://www.w3.org/2001/04/xmldsig-more#rsa-sha256’ ) threw an exception.
    Key: ‘System.IdentityModel.Tokens.X509AsymmetricSecurityKey’
    SignatureAlgorithm: ‘http://www.w3.org/2001/04/xmldsig-more#rsa-sha256′, check to make sure the SignatureAlgorithm is supported.
    Exception:’System.Security.Cryptography.CryptographicException: Invalid provider type specified.

    at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
    at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
    at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
    at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
    at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
    at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
    at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)
    at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures) in c:\workspace\WilsonForDotNet45Release\src\System.IdentityModel.Tokens.Jwt\AsymmetricSignatureProvider.cs:line 147’.
    If you only need to verify signatures the parameter ‘willBeUseForSigning’ should be false if the private key is not be available. —> System.Security.Cryptography.CryptographicException: Invalid provider type specified.

Leave a Reply

Your email address will not be published. Required fields are marked *