Search code examples
c#azureazure-functions.net-standardx509certificate2

How to create certificate from .pfx file on Azure environment?

I'm trying to initialize a new instance of the x509Certificate2 class in C# in a Azure function like this:

X509Certificate2 cert = new X509Certificate2((certPath + @"/integration_certificate.pfx"), "pw", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet| X509KeyStorageFlags.Exportable);

This works fine when I execute the function locally, but when it executes on Azure I get the following error:

Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The specified network password is not correct
   at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
   at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)

I've used OpenSSL on Kudu to check that I'm using the correct password, and that checks out. I'm able to read information about the certificate and everything looks correct.

I have also tried uploading the certificate to Azure (looks like the correct way to do it), not including it in the source code, but I can't get that to work either as the private key is only 1024 bits long so Azure doesn't accept it. The certificate is generated by a third party, so I dont think it is possible for me to generate the certificate differently.

Does anyone have any suggestions? I'm currently using .NET standard 2.0 as target framework btw.

Solution

  • I assume the process should have access as well.

    Also, there are few set of requirements it must meet when you upload a SSL certificate in Azure.

    •The certificate must contain a private key.

    •The certificate must be created for key exchange, exportable to a Personal Information Exchange (.pfx) file.

    •The certificate's subject name must match the domain used to access the web site. If you need to serve multiple domains with this certificate, you will need to use a wildcard value or specify subjectAltName values.

    •The certificate should use a minimum of 2048-bit encryption.

    And I am hoping that you have tried the below options while uploading the certificate.

    Attaching the detailed info in the below link for you to try if you haven't tried this earlier.

    Binding the Certificates

    1st Option

    2nd Option