Accessing Certificate from within a C# Azure function

Question

I need to access a certificate from my Azure Function.

I followed the steps outlined in Runtime error loading certificate in Azure Functions but it didn't work out.

private static X509Certificate2 GetCertificate(string thumbprint, TraceWriter log)
{
    X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
    try
    {
        store.Open(OpenFlags.ReadOnly);
        log.Info("Enumerating certificates");
        foreach (var cert in store.Certificates) {
            log.Info(cert.Subject);
        }
        var col = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);
        if (col == null || col.Count == 0)
        {
            return null;
        }
        return col[0];
    }
    finally
    {
        store.Close();
    }

}

Two certificates where uploaded to the Azure Function and the setting WEBSITE_LOAD_CERTIFICATES was added as well and set to either * or to the thumpbrint of the required certificate, but to no avail.

The GetCertificate method should print a list of all certificates in the store, but the store is empty.

Any clues on how to solve this?

did you try searching for a similar problem for webjobs? since the solution would be identical — 4c74356b41, Dec 07 '16 at 09:31
Yes. They all suggest that the approach outlined in the link above should work. But it doesn't. — Henning Krause, Dec 07 '16 at 09:33
I always use StoreLocation.LocalMachine when I access a cert in azure. I haven't tried in Functions but in other WebApps and CloudService it works with that LocalMachine — dave000, Dec 07 '16 at 10:03
LocalMachine does have a few certificates, however not those I uploaded via the Azure Portal. — Henning Krause, Dec 07 '16 at 10:07
Okey... I tried and had the same problem. Then tried again, but this time I created the function selecting App Service Plan and not Hosting Plan... and also made sure that when I copy paste the Thumbprint to settings I checked that there are no extra non-printable chars added and I got your code just working!!! Try following the steps and let me know if you succeed! — dave000, Dec 07 '16 at 10:44
Indeed, if I switch to the AppService Plan, I get the certificates. Seems, It's not supported in the other hosting scenario. How unfortunate. — Henning Krause, Dec 07 '16 at 13:36
Created an issue on github: https://github.com/Azure/azure-webjobs-sdk-script/issues/1032 — Henning Krause, Dec 07 '16 at 13:48

score 8 · Accepted Answer · edited Mar 13 '19 at 12:16

8

UPDATE: Client certificates are now supported in the Consumption plan.

Client certificates are not yet supported in our Consumption plan, only in App Service plan. This is tracked by an issue in our repo here. We're working on it - please follow that issue for status. Thanks.

edited Mar 13 '19 at 12:16

Erik Oppedijk

3,496
4
31
42

answered Dec 07 '16 at 16:24

mathewc

13,312
2
45
53

it seems that it can be done now via Azure Keyvault, uploading a certificate in the Function App and then retrieving the content via a secret in the function – Horia Toma Mar 12 '18 at 17:23
3

It should now be supported in both Consumption and App Service plans. I think the answer should be updated to reflect that. – Ehtesh Choudhury Jul 30 '18 at 23:32
1

It works now on consumption plan and also app service and here is my full answer on how to deal with it: https://stackoverflow.com/questions/53778977/how-to-manage-signed-certificates-with-azure-function-v2/53780469#53780469 – Marzouk Dec 21 '18 at 15:04
1

How to find the certificate on LINUX consumption plans? – Lorenzo Melato Sep 17 '20 at 15:58

Accessing Certificate from within a C# Azure function

1 Answers1

Linked