"Certificate does not contain any CA certificate" error when I create a SSL profile on Azure Application Gateway
Let me explain more about the scenario. I have a web application that is hosted on an Azure App Service Plan. I created two certificates "Root" and "Child" with the blow command:
Generate root cert:
$pwd = ConvertTo-SecureString -String "123" -Force -AsPlainText
$filepath = 'C:\Users\Desktop\certificates\'
$rootcert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "IdentityServerCN"-Provider "Microsoft Strong Cryptographic Provider"-HashAlgorithm "SHA512"-NotAfter (Get-Date).AddYears(5) -KeyUsageProperty All -KeyUsage CertSign, CRLSign, DigitalSignature
Export-PfxCertificate -cert ('Cert:\LocalMachine\My\' + $rootcert.thumbprint) -FilePath ($filepath+'IdentityServerCertificate.pfx') -Password $pwd
Generate child cert:
$pwd = ConvertTo-SecureString -String "123" -Force -AsPlainText
$scope = "app"
$env = "develoepr"
$filepath = 'C:\Users\Desktop\certificates\test\'
$certname = $scope + "_"+ $env
$childcert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "IdentityServerCN"-Provider "Microsoft Strong Cryptographic Provider"-HashAlgorithm "SHA512"-NotAfter (Get-Date).AddYears(5) -Signer $rootcert -FriendlyName $certname
Export-PfxCertificate -cert ('Cert:\LocalMachine\My\' + $childcert.thumbprint) -FilePath ($filepath + $certname+'.pfx') -Password $pwd
When I directly open the web app URL https://app-test-platform.azurewebsites.net/index.html the application request a certificate. I selecet the child certificate and then the application opened.
Now, I want to move this app behind the Azure Application Gateway and I configure all settings (backend, listeners and etc). Based on this document for this solution I need SSL Profile. First of all, I need to export the trusted CA certificate chain (this document). I have done all steps and when I back to Application Gateway and created an SSL profile I received this error when I want to upload *.cer files.
Failed to save configuration changes to application gateway 'XXXX'. Error: TrustedClientCertificate XXXX/providers/Microsoft.Network/applicationGateways/XXXX/trustedClientCertificates/XXX'>XXXX/XXX does not contain any CA certificate. A CA certificate contains the basic constraint extension with the subject type as CA.
You can use the below powershell command to create the root and leaf certificates for mutual authentication.
Root:
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=MutualAuthRoot" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -TextExtension @("2.5.29.19={text}CA=true") -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
Client:
New-SelfSignedCertificate -Type Custom -DnsName MutualAuthLeaf -KeySpec Signature -Subject "CN=MutualAuthLeaf" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
- AKV10032: Invalid issuer error when connecting to Azure Key Vault from App Service
- Azure Service Plan - Convert Consumption App to Premium App
- Azure App Service Autoscale Fails to Scale In
- Azure Scale Out on Memory keeps flapping (not scaling in)
- Setting a server minimum for Azure Web App when using automatic scaling, from Bicep
- Azure App Service Custom Backup to Firewall Enabled Storage Account not working as expected
- Failed to deploy path that does not exist
- what URL should Kestrel listen to in a docker container on Azure App Service
- Native Node.js Metrics in Application Insights
- is it posible to access Azure App Configuration via URL or conected some how as enviroment setting of App Service?
- How can I install packages using the startup command in Azure App Service?
- Override an array in azure app service application settings
- .Net API Azure App Service hangs on startup when under load
- How to get associated AppServicePlan associated with AppService (WebJob) using PowerShell
- Application Error when deploying python EchoBot to the Azure App Service via VS Code. Module not found
- How do I change from Bring Your Own Certificate to Azure Managed for an App Service?
- Attempting to use the Azure Web App 'Identity provider' feature with a web app that uses the Python Azure SDK (azure.identity)
- Disable TipMix and x-ms-routing-name cookie from website
- Issue with webapp or Azure?: This region has quota of 0 PremiumV2 cores for your subscription. Try selecting different region or SKU
- Deploy an ASP.net MVC website to a subfolder of an Azure website?
- Trouble configuring Azure app service from publish in Visual Studio, can't access endpoints
- Azure web app not updating after successful deployment
- Cancellation behavior of .NET 6 API endpoint differs between local and Azure App Service Linux hosting
- Linux azure web app can't find assets files, React app
- App Service Status Running with failed startup
- Azure App Service Plan Consumes 70% of Memory Without Deploying Any Code
- Trying to use WEBSITE_RUN_FROM_PACKAGE = 1 but ZipDeploy failed with [IOException]: The user name or password is incorrect
- Deployment start up file to App Service doesn't work
- Azure Monitoring Diagnostic Settings AppServiceConsoleLogs not showing all console.log lines
- Streaming response in ASP.NET Core 6 Web API working locally but not on Azure web app hosted on windows