I'm building a web app that relies on client certificates for authentication. I've been able to get it running successfully on a Windows VM through IIS though I had to add the Root CAs for the client certificates to the certificate store.
I can't seem to find the place to do a similar thing for when I want to deploy this same app to an Azure App service. What am I missing?
Thanks!
You cannot install custom root certificates for the App Service, but this is not necessary.
The Azure Web App frontend does not do any certificate validation. Validation is only handled by user code. In Asp.Net Core you usually offload validation to Microsoft.AspNetCore.Authentication.Certificate, which has support for custom certificates.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseAuthentication();
// other items omitted
}
public void ConfigureServices(IServiceCollection services)
{
services
.AddAuthentication()
.AddCertificate(options =>
{
options.ChainTrustValidationMode = X509ChainTrustMode.CustomRootTrust;
options.CustomTrustStore = new X509Certificate2Collection(
new[]
{
new X509Certificate2(Convert.FromBase64String(myRootCertificate)),
});
})
// other items omitted
}
Note that with this settings only custom root certificates are supported. All default operation system root certificates will be ignored.
PR 29828 introduced a way of adding chain certificates:
public class CertificateAuthenticationOptions : AuthenticationSchemeOptions
{
/// <summary>
/// Collection of X509 certificates which are added to the X509Chain.ChainPolicy.ExtraStore of the certificate chain.
/// </summary>
public X509Certificate2Collection AdditionalChainCertificates { get; set; } = new X509Certificate2Collection();
}
These certificates will be used in addition to the ones supported by the operating system - in this case the Azure Web App.