16

For years I was able to upload new pfx files for SSL binding on Azure App Services using the OpenSSL creation method in this Stack Overflow answer:

openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt

However, doing the same now provides this error:

At least one certificate is not valid (Certificate failed validation because it could not be loaded.)

pfx error

What ways can this issue be resolved?

Matthew Steven Monkan
  • 8,170
  • 4
  • 53
  • 71
  • 3
    The comments on the very answer you link (now including mine) tell you that _recent_ OpenSSL (specifically 3.0.0 up) uses a different encryption for PKCS12 by default that Azure doesn't accept, and how to change it back – dave_thompson_085 Jul 16 '22 at 07:27

3 Answers3

35

App Service private certificate requirements

App Service private certificates must meet the following requirements:

  • Exported as a password-protected PFX file, encrypted using triple DES.
  • Contains private key at least 2048 bits long
  • Contains all intermediate certificates and the root certificate in the certificate chain.

Option 1: Use legacy provider in OpenSSL 3+

OpenSSL 3+ no longer uses DES encryption as a default. The original command needs the -legacy and -provider-path (path to legacy.dll) arguments appended:

openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt -legacy -provider-path 'C:\Program Files\OpenSSL-Win64\bin'

Option 2: Let Windows re-encrypt the file

If for some reason your OpenSSL installation does not contain the legacy provider:

Open PowerShell and run this command, replacing -FilePath with the path to your non-working pfx file, and the password -String argument with its respective password:

Import-PfxCertificate -FilePath "pfx file path" -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString -String 'MyPassword' -AsPlainText -Force) -Exportable

A successful output will look like:

export pfx result

Use this thumbprint to export the cert to a new pfx file, replacing the -Cert, -FilePath, and password -String arguments:

Export-PfxCertificate -Cert Microsoft.PowerShell.Security\Certificate::LocalMachine\My\B56CE9B122FB04E29A974A4D0DB3F6EAC2D150C0 -FilePath 'newPfxName.pfx' -Password (ConvertTo-SecureString -String 'MyPassword' -AsPlainText -Force)

Azure should now be able to validate the new pfx file output.

Matthew Steven Monkan
  • 8,170
  • 4
  • 53
  • 71
2

For me, the issue was simply solved by changing the password. My previous password had special characters, which then i changed to only alphabetic letters.

Ashique Razak
  • 487
  • 3
  • 8
  • 1
    This was down-voted, but it solved my issue. OpenSSL was generating an invalid PFX file when the password contained special characters (&@^ in my case). I'm not sure if it was garbled by the shell or an issue with OpenSSL, but removing them worked. – kdh454 May 08 '23 at 19:27
  • 1
    I experienced this too: nonalphanumerical characters in the password prevent Azure from importing the PFX. – Richard Barraclough Aug 01 '23 at 10:57
0

If the specific error is

Error adding private key certificate. At least one certificate is not valid (Certificate failed validation because it could not be loaded)

And if you are using the following script from OpenSSL to generate

openssl pkcs12 -export -out forUploadToAzure.pfx -inkey privateKeyUsedToGenerateCRT.key -in certificateGenerated.crt

And if this is the issue, then....

OpenSSL 3 generates a longer certificate serial number when you run the pfx generation script. I would suggest downloading the OpenSSL 1 from the portal (https://slproweb.com/products/Win32OpenSSL.html) and this should help generate a shorter certificate serial number which Azure pfx import tool will accept

Reference - https://learn.microsoft.com/en-us/answers/questions/192112/error-message-occurs-when-trying-to-upload-pfx-cer.html

J D
  • 707
  • 7
  • 13