Private CA, signed by Sectigo broke communication on Azure Web App multi-tenant

Hristijan Shurbeski 0 Reputation points
2023-03-19T12:36:12.8433333+00:00

Hi,

I have an issue where my application loads a pfx file from the code and extracts the certificate from there, but the communication is not working with the external endpoint once we host the code on App Service, however it works from running the application from a local env.

The previous certificate was directly issued from Sectigo and back then everything was going smooth on App Service and the current one is from a private CA from a very trusted CA, Sectigo, where the communication with the external endpoint can not be done. Bellow is the code how we import the certificate from the code.

App Service is Multi tenant hosted.

Is there any specific reason why this new certificate which is not self-signed is not working on Azure Web App?

X509Certificate2 certificate = new X509Certificate2(_config.CertificateConfiguration.FilePath, _config.CertificateConfiguration.Password, X509KeyStorageFlags.MachineKeySet);

TUser's image

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,993 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ajkuma 28,036 Reputation points Microsoft Employee Moderator
    2023-03-30T19:16:25.4566667+00:00

    Hristijan Shurbeski, Just checking in to see if you had got a chance to see the previous response.
    As Patchfox suggested, please share more details about your requirement.

    Based on the issue description. just to highlight - App Service has a list of Trusted Root Certificates which you cannot modify in the multi-tenant variant version of App Service, but you can load your own CA certificate in the Trusted Root Store in an App Service Environment (ASE), which is a single-tenant environment in App Service.
    (The Free, Basic, Standard, and Premium App Service Plans are all multi-tenant, and the Isolated Plans are single-tenant.)

    When an app hosted on Azure App Service, tries to connect to a remote endpoint over SSL, it is important that the certificate on remote endpoint service is issued by a Trusted Root CA. If the certificate on the remote service is a self-signed certificate or a private CA certificate, then it will not be trusted by the instance hosting your app and the SSL handshake will fail with this error:

    'Could not establish trust relationship for the SSL/TLS secure channel'

    In this situation, there are two solutions (based on your scenario/requirement):

    1. Use a certificate that is issued by one of the Trusted Root Certificate Authorities in App Service on the remote server.
    2. If the remote service endpoint certificate could not be changed or there is a need to use a private CA certificate, host your app on an App Service Environment (ASE) and load your own CA certificate in the Trusted Root Store

    Kindly check this Root CA on App Service article for more info. Kindly let us know, we will be more than happy to assist you.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.