I am trying to enable Azure Key Vault Certificate to the existing API. We already have secrets and Azure Key Vault certificate in the Azure Key Vault account. Here's the code to configure the certificate:
public static IWebHost BuildWebHost() =>
WebHost.CreateDefaultBuilder()
.ConfigureAppConfiguration((context, config) =>
{
var env = context.HostingEnvironment;
config.SetBasePath(Directory.GetCurrentDirectory())
.AddJsonFile("appsettings.json", optional: false, reloadOnChange: true);
var builtConfig = config.Build();
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var cert = store.Certificates.Find(X509FindType.FindByThumbprint, builtConfig["AzureKeyVault:CertThumbprint"], false);
config.AddAzureKeyVault(
$"https://{builtConfig["AzureKeyVault:Vault"]}.vault.azure.net/",
builtConfig["AzureKeyVault:ClientId"],
cert.OfType<X509Certificate2>().Single());
store.Close();
})
.UseStartup<Startup>()
.Build();
On my local computer, I imported the certificate properly, which includes downloading the pfx format.
But the error message I received was:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: 'AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: 'xxx'
Any reason that causes this?
The message indicates either the certificate is not imported with private key (certmgr.msc) or the permissions are not set for the requesting user (when using the machine store - certlm.msc)