Can't find x509 Certificate in any store

Question

I have a webapp hosted on HostGator shared Windows hosting. Inside Plesk, I secured the site with their Let's Encrypt SSL tool which automatically installs the certificate for you on creation. I can see, on visiting the site, that the browser confirms it is secured by Let's Encrypt.

Now, on starting my app, I am trying to obtain the certificate via thumbprint, but it is coming up empty handed with the following code(note: I have tried both CurrentUser and LocalMachine with the same results):

var x509Store = new X509Store(StoreLocation.CurrentUser);

                    x509Store.Open(OpenFlags.ReadOnly);

                    var x509Certificate = x509Store.Certificates
                        .Find(
                            X509FindType.FindByThumbprint,
                            builder.Configuration["Config:AzureADCertThumbprint"],
                            validOnly: false)
                        .OfType<X509Certificate2>()
                        .Single();
                    x509Store.Close();

So, to dig a bit deeper, I used the following to log all available certs so that I could search through and see what is going on:

                    logfile.WriteLine("\r\nExists Certs Name and Location");
                    logfile.WriteLine("------ ----- -------------------------");

                    foreach (StoreLocation storeLocation in (StoreLocation[])
                        Enum.GetValues(typeof(StoreLocation)))
                    {
                        foreach (StoreName storeName in (StoreName[])
                            Enum.GetValues(typeof(StoreName)))
                        {
                            X509Store store = new X509Store(storeName, storeLocation);

                            try
                            {
                                store.Open(OpenFlags.OpenExistingOnly);

                                logfile.WriteLine("Yes    {0,4}  {1}, {2}",
                                    store.Certificates.Count, store.Name, store.Location);

                                foreach(var cert in store.Certificates)
                                {
                                    logfile.WriteLine("---"+cert.Thumbprint+" name: "+cert.Subject);
                                }
                            }
                            catch (CryptographicException)
                            {
                                logfile.WriteLine("No           {0}, {1}",
                                    store.Name, store.Location);
                            }
                        }
                        logfile.WriteLine();
                    }

I see lots of certs in the stores, and even some Let's Encrypt certs, but none of them with a matching thumbprint. To be more thorough, I used openssl, to calculate the thumbprint in sha256, sha1, and md5. None of those had matches in my logs. Note, the sha1 calculation is the thumbprint I was given on certificate creation.

At this point, I am totally stumped at what is going on and how to proceed. All help is appreciated, thanks!

`StoreLocation.CurrentUser` will search the user store for the *current* user, i.e. you. Does the web site run under your identity, or is there a service account? Maybe try checking `CurrentUser` store for the service account. — John Wu, Jun 27 '23 at 18:34
There are Let's Encrypt certificates under CA for both CurrentUser and LocalMachine. The issue for all of them, though, is they do not match the thumbprint I have for my certificate. Not sure how to check the identity the site is running under, as I do not have IIS access through Plesk beyond being able to start/stop/recycle the app pool. — ASpaceWorm, Jun 27 '23 at 18:47
Did you install the certificates for all users or just the admin? — jdweng, Jun 27 '23 at 18:50
@jdweng I'm not sure what or where Plesk installs the certificates. They just have a tool that automatically generates the certificate from Let's Encrypt and installs it for your domain. Since it's shared hosting, I would think it would be admin and not all users, but that's just a guess. — ASpaceWorm, Jun 27 '23 at 22:53
You can view local certificates in any browser properties. They are installed in both the user and machine stores which is in the user temporary work area and also are in the registry (both user and machine). When a HTTPS request is made prior to the request being sent TLS encrypted connection is setup by the OS. So the OS needs access to the certificate and then after the connection is made the user needs access to the certificate. Checking the browser properties you will see the certificates that are loaded. — jdweng, Jun 27 '23 at 23:24
@jdweng When I view the certificate through Firefox, it has the thumbprint I am looking for, but there is no info as to if it's installed for admin or all users. So, I'm not sure where the server is pulling the cert from if it's not in any of the stores. — ASpaceWorm, Jun 28 '23 at 16:41

score 0 · Answer 1 · answered Jun 29 '23 at 05:09

0

Let's Encrypt tools such as certbot do not install SSL certificates into certificate stores nor should they.

The certificates (certificate, chain, and key) are stored as files on the file system.

The let's Encrypt root CA and intermediate CA certificates are already trusted by the OS. The root CA certificate will be in "Trusted Root Certificate Authorities" and the intermediates will be in "Intermediate Certificate Authorities" for the machine.

All that is left is the server leaf certificate and there is no need to put that into any store. The only time you might consider storing the server leaf certificate is if it is self-signed.

Certificate thumbprints can be SHA-256, SHA-1, or MD5. Make sure you are checking for the correct type. A simple method to guess the thumbprint algorithm is to compare the length. For example, MD5 is 16 bytes, SHA-1 is 20 bytes, and SHA-256 is 32 bytes.

answered Jun 29 '23 at 05:09

John Hanley

74,467
6
95
159

Well, that explains why I am not seeing the leaf certificate in the store. I am seeing SHA-1 thumbprints in my logs, and only finding a match for the Let's Encrypt CA, not my site's(issued through Let's Encrypt). So this means, I need to be getting the certificate by file? This also presents a problem, as Plesk only allows me to see a portion of the file system. I tried programmatically searching for any .pem files, but came up empty. – ASpaceWorm Jun 29 '23 at 20:26
@ASpaceWorm You will probably find the certificates under `/etc/letsencrypt`. Those files are owned by root. The private key is protected. The Let's Encrypt Client determines the storage location. – John Hanley Jun 29 '23 at 20:56
So, an issue I am running into now is that it looks like any dirs above my domain level (shared hosting) are totally inaccessible to me. Which makes sense. So, I'm sure Plesk has something going on behind the scenes to serve out my cert when the time comes. Feels like I am out of options here. Would it be insecure to create a dir and upload the cert myself so I can get it there? Trying to use this app to grab secrets from Azure Key Vault and, afaik, I can only register external apps using certificate. – ASpaceWorm Jun 30 '23 at 00:03
I cannot comment on your shared host. My question to you is why do you need access to the certificates? Does your shared host want to prevent your access? For example, they provided a free SSL certificate and they want you locked into their platform. I am not sure how Azure Key Vault will help you with your certificate. Unless Key Vault is integrated with your platform, what is the point? – John Hanley Jun 30 '23 at 00:09
Since you are starting to learn the lower-level concepts of how web servers work, my recommendation is to switch to a host or another service with your host that provides you with the entire VM. There is a lot more to learn about web servers, SSL certificates, Apache/Nginx configurations, DNS, SSH, etc. – John Hanley Jun 30 '23 at 00:10
I currently have and am paying for a SQL server hosted on Azure. In order to protect the connection string, I have it stored in Azure Key Vault. In order to access the Key Vault from an external app, I need to register the app with Active Directory(App Registrations). Part of that process was uploading my certificate, which I was able to download from the Plesk dashboard. Now to new up a SecretClient to connect to the Key Vault, I would have to provide the same credential I used to register the app. Thus the need to get the certificate. – ASpaceWorm Jun 30 '23 at 00:19
You can get your web server's public certificate with the OpenSSL command running from your desktop. See this [answer](https://stackoverflow.com/a/7886248/8016720). However, server SSL certificates are not used for connection strings or client authorization. Perhaps you should create a new question clarifying your problem with Azure Key Vault. – John Hanley Jun 30 '23 at 00:36

Can't find x509 Certificate in any store

1 Answers1