Search code examples
c#ssl-certificateasp.net-core-2.0x509certificate2azure-keyvault

How do I use the private key from a PFX certificate stored in Azure Key Vault in .NET Core 2?

I've written an ASP.NET Core 2.0 website in C# and have Facebook authentication enabled, so it requires HTTPS. I'm using the native Kestrel web server to host the site and have a listener set to take the PFX certificate per MS' documentation. I can't seem to find a way for Kestrel to recognize the private key after recall from Key Vault. I know it's present, as I wrote two debug statements that indicate it is, in fact present.

This is the function that I'm using to retrieve the secret, which is working.

        public static async Task<X509Certificate2> GetKeyVaultCert()
    {
        X509Certificate2 pfx;

        try
        {
            var kvClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken));
            var secret = await kvClient
                .GetSecretAsync("https://macscampvault.vault.azure.net/secrets/letsencrypt").ConfigureAwait(false);

            byte[] bytes;
            if(secret.ContentType == "application/x-pkcs12")
                bytes = Convert.FromBase64String(secret.Value);
            else
            {
                bytes = new byte[0];
                Console.WriteLine("secret is not PFX!!");
                throw new ArgumentException("This is not a PFX string!!");
            }
            var password = new SecureString();

            var coll = new X509Certificate2Collection();
            coll.Import(bytes, null, X509KeyStorageFlags.Exportable);
            pfx = coll[0];
// File output added in case I end up needing to write cert to container
//          File.WriteAllBytes(Directory.GetCurrentDirectory().ToString() + "/Macs.pfx", bytes);
            Console.WriteLine(pfx.HasPrivateKey);
            Console.WriteLine(pfx.GetRSAPrivateKey());

        }
        catch (Exception ex)
        {
            Console.WriteLine($"There was a problem during the key vault operation\n{ex.Message}");
            throw;
        }

        return pfx;
    }

The debug statements after the assignment call pfx = coll[0]; tell me that this private key exists, but when I try to connect to the website using lynx https://localhost I receive the following exception: System.NotSupportedException: The server mode SSL must use a certificate with the associated private key.

So, how do I use the private key? Here's a gist to the file in question.

I already was helped by How to serialize and deserialize a PFX certificate in Azure Key Vault? but after following it, I got to this state.

Solution

  • In your gist you have the following code:

    var keyVaultCert = GetKeyVaultCert().Result ??
    throw new ArgumentNullException("GetKeyVaultCert().Result");
pfx = new X509Certificate2(keyVaultCert.RawData);

    The second line there removes the private key, because the RawData property just returns the DER encoded X.509 object.

    keyVaultCert is already an X509Certificate2 with a private key, you probably want to just use it.

    pfx = GetKeyVaultCert().Result ?? throw etc;