1

I need to install a self-signed CA root certificate that is used by one of our applications that uses Client Certificate Authentication with an external provider.

I have uploaded the .PFX client certificate but I also need to install the CA certificate into the trusted roots.

I have googled endlessly on how to do this and everywhere I look it speaks of Web-Roles, Jobs and Workers, Etc.

We don't have any of these on our project and I am not familiar with how they work or the process of creating / using them. We have a standard ASP.NET MVC 5 web application that we publish to an azure app service, that's about it.

How do I get this CA certificate installed on Azure?

I don't mind if I have to use a Web Role / Job / Worker / Whatever but I have never had to configure one before so please advise on how to get setup if that is the correct solution (I.E: If it just requires creating a new project on our VS2015 solution and configuring some deployment settings).

Thanks. G.

Gary Doublé
  • 436
  • 4
  • 17

2 Answers2

1

Looking at this blog post it's not possible.

Do note that we will not install new Root certificates in our Trusted Authorities as a result of this, just the intermediate certificates.

That leaves you with two options:

  1. Use an Azure Virtual Machine
  2. Ignore the fact that the certificate is not trusted by Azure

If possible it would be better to handle the certificate policy in-app - then you are in complete control. Assuming you are using .NET then you can either implement an ICertificatePolicy with your own validation or just ignore the "error" as per this SO asnwer.

Community
  • 1
  • 1
Jason Elkin
  • 547
  • 3
  • 14
0

If you are happy to run your application on a web or worker role in a cloud service, you can use start-up taks. A start-up task can be either a .bat file or PowerShell script that is executed prior to starting your application. You can also run these scripts elevated if you want.

See also: - https://learn.microsoft.com/nl-nl/azure/cloud-services/cloud-services-startup-tasks - https://social.msdn.microsoft.com/Forums/azure/en-US/96926ae6-0cbf-4d00-9dd4-bbe86f93737e/add-certificate-file-to-trusted-root-ca-using-startup-task?forum=windowsazuredevelopment

Henry Been
  • 363
  • 2
  • 12