Certenroll on Azure - Generating self signed certificates

Question

I have built a creation self-signing certificates using Certenroll (CERTENROLLLib). All works locally but as soon as I deploy it to Azure I get either:

Server API error: Message: CertEnroll::CX509Enrollment::_CreateRequest: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED), StackTrace: at CERTENROLLLib.IX509Enrollment2.CreateRequest(EncodingType Encoding)
at Foo.Api.Core.Providers.CertificateProvider.GenerateBase64EncodedPfx(String subjectName, Int32 certificateValidityInYears, String password) at Foo.Api.Core.Services.CertificateService.d__4.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Foo.ServerApi.Services.DocumentSigningService.d__7.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Foo.ServerApi.Services.DocumentSigningService.d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
at Foo.ServerApi.Controllers.DocumentController.<>c__DisplayClass10_1.<b__5>d.MoveNext()

if using:

var cert = new CX509CertificateRequestCertificate();
            cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");

or

Server API error: Message: CertEnroll::CX509CertificateRequestCertificate::InitializeFromPrivateKey: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER), StackTrace: at CERTENROLLLib.IX509CertificateRequestCertificate2.InitializeFromPrivateKey(X509CertificateEnrollmentContext Context, IX509PrivateKey pPrivateKey, String strTemplateName) at Foo.Api.Core.Providers.CertificateProvider.GenerateBase64EncodedPfx(String subjectName, Int32 certificateValidityInYears, String password) at Foo.Api.Core.Services.CertificateService.d__4.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Foo.ServerApi.Services.DocumentSigningService.d__7.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Foo.ServerApi.Services.DocumentSigningService.d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
at Foo.ServerApi.Controllers.DocumentController.<>c__DisplayClass10_1.<b__5>d.MoveNext()

if using:

var cert = new CX509CertificateRequestCertificate();
            cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, privateKey, "");

Is there any way how to overcome this issue with Certenroll on Azure?

Edit: final error that lead me to the correct path.

Server API error: Message: CertEnroll::CX509PrivateKey::Create: The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND), StackTrace: at CERTENROLLLib.IX509PrivateKey2.Create() at Foo.Api.Core.Providers.CertificateProvider.GenerateBase64EncodedPfx(String subjectName, Int32 certificateValidityInYears, String password) at Foo.Api.Core.Services.CertificateService.d__4.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Foo.ServerApi.Services.DocumentSigningService.d__7.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Foo.ServerApi.Services.DocumentSigningService.d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
at Foo.ServerApi.Controllers.DocumentController.<>c__DisplayClass10_1.<b__5>d.MoveNext()

Related posts - For on-premise deployement : [CryptographicException was unhandled: System cannot find the specified file](https://stackoverflow.com/q/17840825/465053). — RBT, Nov 21 '21 at 08:05

score 2 · Accepted Answer · answered Nov 11 '19 at 11:38

2

use X509CertificateEnrollmentContext.ContextUser in InitializeFromPrivateKey
when creating private key setting privateKey.MachineContext = false;
on Azure add a new Application Setting

WEBSITE_LOAD_USER_PROFILE = 1

that made it work for me

answered Nov 11 '19 at 11:38

Jakub Holovsky

6,543
10
54
98

1

For me things did't work even after setting `WEBSITE_LOAD_USER_PROFILE` to 1 when my app service plan was using `Free` tier. It started to work after I upgraded it to `S1` tier. – RBT Nov 22 '21 at 09:39

Certenroll on Azure - Generating self signed certificates

1 Answers1

Linked