19

  • I have added a pfx certificate in azure key vault.

  • I have one asp.net web api application where through one of the endpoint I am trying to access certificate information from key vault.

    public class ValuesController : ControllerBase
{
     public async Task<string> Get()
 {


     AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
     var keyVaultClient = new KeyVaultClient(
         new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

     var secret = await keyVaultClient.GetSecretAsync("<certificateSecretIdentifier>").ConfigureAwait(false);
     X509Certificate2 certificateWithPrivateKey = new X509Certificate2(Convert.FromBase64String(secret.Value));

     return certificateWithPrivateKey.FriendlyName;
 }
}

  • I am using Azure Managed Identity and everything configured correctly.

  • When I am running the web app in local IIS express, there is NO error and endpoint giving me desired result.

  • Now when I am publishing the web app over azure and app service app and trying to call the endpoint, getting this error,

I have added my app service app with azure key vault's access policies (get, list), please suggest what could be the reason?

2020-07-08 03:20:48.986 +00:00 [Error] Microsoft.AspNetCore.Server.IIS.Core.IISHttpServer: Connection ID "16717361818409901973", Request ID "80001f98-0000-e800-b63f-84710c7967bb": An unhandled exception was thrown by the application. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The system cannot find the file specified. at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags) at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] data) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData) at Gateway.Controllers.ValuesController.Get() in C:\Work\AzureAdAuth\Gateway\Controllers\ValuesController.cs:line 26 at lambda_method(Closure , Object ) at Microsoft.Extensions.Internal.ObjectMethodExecutorAwaitable.Awaiter.GetResult() at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask1 actionResultValueTask) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|19_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker) at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger) at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Server.IIS.Core.IISHttpContextOfT1.ProcessRequestAsync()

Kevin
  • 16,549
  • 8
  • 60
  • 74
user584018
  • 10,186
  • 15
  • 74
  • 160

1 Answers1

41

Reading PFX requires the user profile to be loaded. When we added WEBSITE_LOAD_CERTIFICATES, it basically results in loading the profile on the background and hence we could read the PFX from the filesystem.

ASP.NET and ASP.NET Core on Windows must access the certificate store even if you load a certificate from a file. To load a certificate file in a Windows .NET app, add WEBSITE_LOAD_USER_PROFILE=1 option into the application's settings.

For more details, you could refer to this article.

Joey Cai
  • 18,968
  • 1
  • 20
  • 30
  • 3
    For me things did't work even after setting `WEBSITE_LOAD_USER_PROFILE` to 1 when my app service plan was using `Free` tier. It started to work after I upgraded it to `S1` tier. – RBT Nov 22 '21 at 09:38
  • Thank you @RBT for providing this insight! Having been strugling for hours on how to enable access to a PFX and upgrading to a `B1` tier did the trick! – Tuco Feb 13 '22 at 13:00
  • 1
    But still needed to add the `WEBSITE_LOAD_USER_PROFILE=1` in order to get it working. – Tuco Feb 13 '22 at 13:05
  • I had to redeploy my API app service after adding these settings. – Dušan Aug 24 '23 at 09:56