question

TylerStutheit-1527 avatar image
0 Votes"
TylerStutheit-1527 asked lokanathdas-0745 edited

Adding trust to root certificate store on an App Service

I have inherited an App Service in Azure, and need to add a trusted root certificate to the App Service’s root certificate store. We have “Client Certificate Mode” set to Required, and the root CA for the client certificate needs to be trusted for the user to access the hosted Web App.

I found several articles online which refer to the approach of adding the .cer certificate to an App Service Environment (ASE) and then creating an application setting (WEBSITE_LOAD_ROOT_CERTIFICATES) on the App Service which should result in the certificate being present in the Cert:\LocalMachine\Root certificate store. Ref: https://docs.microsoft.com/en-us/azure/app-service/environment/certificates

The App Service I inherited does not reside in an ASE, so I performed both of these actions on the App Service itself, and the certificate is not present in Cert:\LocalMachine\Root nor Cert:\CurrentUser\Root. It is, however, present in Cert:\CurrentUser\My certificate store.

When users attempt to access the App Service, the event log records a root certificate error, and we believe that the root CA related to the client’s certificate needs to be added to the Root certificate store on the App Service. We have tried the method above, and we have also attempted to install the certificate using the Kudu PowerShell, but receive access denied messages.

Does anyone have documentation on how to add trust to the root certificate store on an App Service without an App Service Environment?

azure-webapps-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Any luck on smart card auth on an App Service? Working on accomplishing this myself and am trying to avoid manual certificate chain validation

0 Votes 0 ·

I'm working on a related problem where I would need to consume an internal web service that is using domain managed root-CA. This seems to be equally impossible but in this case it appears that it might be possible to create a working solution with an application gateway as a middleware in between the app and the service that can handle custom CA's.

0 Votes 0 ·

1 Answer

SnehaAgrawal-MSFT avatar image
0 Votes"
SnehaAgrawal-MSFT answered lokanathdas-0745 edited

Thanks for asking question! If I have understood right you want to add trust to the root certificate store on an App Service and not App Service Environment, if so
Unfortunately, it is not possible to add Root certificates to an App Service. The security implications would be quite bad if that were possible.
To use a certificate in App Service, the certificate must meet all the following requirements:
• Signed by a trusted certificate authority
• Exported as a password-protected PFX file
• Contains privatekey at least 2048 bits long
• Contains all intermediate certificates in the certificate chain

SSL is offloaded on the shared Azure front-end which is not accessible. However, if you are not looking to secure a custom domain with an SSL binding you should be able to upload the certificate and use it in code. Please see the following documentation regarding configuring certificates in App Service.
https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate
https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code

However, what you can do is override the framework code for SSL verification to include your particular cert. Refer to this SO link

Also, There is User Voice feedback item created on this you may upvote it. The product group monitors this site for feedback. This is the best way to ensure you are heard and you may receive a response depending on how much they information they can currently share.


· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Why would the security implications be worse to add custom trust for a stand alone App Service, but acceptable when in an App Service Environment as detailed in the initial link I referenced?

Our use case involves users logging into the system using smart card certificates. We force the browser to collect the certificate via setting Client Certificate Mode to Required, and need to validate this certificate against the Root Certificate Authority associated with the smart card. We're receiving the server error before the certificate is ever passed to our code.

0 Votes 0 ·

Thanks for reply! As Incase of App Service Front Ends doesn't do any certificate validations on the incoming client cert. So, the client cert should have been flowed to the client application. Could you please confirm If this not the case?

0 Votes 0 ·

Hi Sneha
I am sending a certificate in an http request while calling an API deployed as APP Service in Azure. But it is not reaching the client application and is giving error
UntrustedRoot A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

I want to validate the incoming certificate in the Client application. Can you please help me in doing this?

0 Votes 0 ·
Show more comments

Hi Sneha,

I am facing a similar issue, I am trying to connect to google-apis and i get sslEOF voilation in protocol . Can i use this ?

0 Votes 0 ·

I have similar scenario to validated the client certificate before using it,Client will upload a certificate every transaction but don't think its there till date in App service. Everytime its UntrustedRoot. Any way to handle this?

0 Votes 0 ·