4

I have a webjob getting a certificate from azure key vault service and locally i have no problem accessing/retrieving this cert from kv. However, when this webjob gets deployed, I get this error:

System.Security.Cryptography.CryptographicException: The system cannot find the file specified.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
   at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
   at Microsoft.Ambassadors.Infrastructure.KeyVaultService.<GetCertificateAsync>d__7.MoveNext() in C:\Source\Repos\Xbox.Ambassadors\Microsoft.Ambassadors.Azure\Microsoft.Ambassadors.Infrastructure\KeyVaultService.cs:line 0

I have registered the app (where this webjob is hosted) with AAD, and it has read only access to the kv space. I have found a couple of relevant (I think..?) posts regarding this:

"An internal error occurred." when loading pfx file with X509Certificate2

X509Certificate Constructor Exception

but I'm not really sure if this is something that I can do in my case...? If anyone can help, that would really be great! Thanks :D

Sahngah Lee
  • 123
  • 1
  • 1
  • 9

2 Answers2

11

I had this same problem, except I was deploying to an Azure web app. I fixed it by adding X509KeyStorageFlags.

SecretBundle secretBundle = await keyVaultClient.GetSecretAsync(_keyVaultOptions.IdentitySigningCredentialUri);
_signingCredential = new X509Certificate2(Convert.FromBase64String(secretBundle.Value), string.Empty, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
Brian Redd
  • 414
  • 1
  • 5
  • 12
  • Hey Brian, Thanks for the answer. I actually ended up fixing the issue and this was exactly how I fixed it so this is great! I appreciate it – Sahngah Lee Jan 10 '19 at 18:10
  • @sahngahLee glad I could help! I was banging my head against a wall for a while on this. Could you also up-vote the answer as well? Thanks! – Brian Redd Jan 10 '19 at 20:00
  • Hey, I upvoted but I dont have enough reputation for it to show on public :-( sorry – Sahngah Lee Jan 11 '19 at 20:53
  • 2
    Just using `X509KeyStorageFlags.MachineKeySet` should be enough for Azure App Service. – halllo Apr 30 '19 at 11:45
1

A very common issue that I see people having is related to permissions. Make sure the application (service principal) that represents your web job has enough permissions in the key vault access policies, because I don't see you mentioning anything about access policy in your question.

Steps -

  1. Go to your key vault access policies - enter image description here
  2. Add a new policy
  3. Select your principal (app that represents web job). Give at least Get permissions for Keys, Secrets and Certificates
  4. Click OK
  5. Click "save" button on top once the policy blade is done. This is a common step that is missed and the policy never gets saved.

Look at this SO post for multiple ways to do it. Although that one only talks about secrets, so the permissions you select in checkboxes while adding policy will be different.

If issue still doesn't get solved, please post more detailed code to access certificate from vault and if your exception stack trace goes any further than what you've already shared, include that as well.

Rohit Saigal
  • 9,317
  • 2
  • 20
  • 32