Issue: "The specified network password is not correct" error in Azure App Service

Question

Hi,

I am encountering an issue with my Azure App Service where I am consistently receiving the error message "The specified network password is not correct." This error occurs when attempting to load a certificate file (certificate.pfx) in my application code (asp.net web forms c#). I have thoroughly investigated the issue and followed several troubleshooting steps, but the problem persists.

Below are the details of the issue:

1. Issue Description:

• When running my application code on the Azure App Service, I encounter the error "The specified network password is not correct" when attempting to load a certificate file (certificate.pfx) using the X509Certificate2 constructor.
• The same code and certificate work correctly on my local machine and local server, indicating that the certificate file and password are valid.

Troubleshooting Steps Performed:

• Verified the password for the certificate file and confirmed it is correct.
• Validated that the certificate file is in the correct format (PKCS#12) and not corrupted.
• Tested with a different certificate to determine if the issue is specific to this particular certificate.
• Restarted the Azure App Service to ensure it's not an environment-related issue.
• Enabled detailed error logging, but no additional relevant information was captured.
• Checked the Azure App Service settings, including security-related configurations, and ensured they are properly configured for certificate access.

1. Additional Information:

• I have confirmed that the certificate file (certificate.pfx) is located in the "Certificates" folder within the site\wwwroot directory of my App Service.
• The certificate file can be accessed and downloaded successfully through the browser by pasting the file path in the address bar.
• The certificate password contains alphanumeric characters and does not include any special characters that might cause encoding or decoding issues.

Please let me know how I can proceed to resolve this issue. Any guidance or further troubleshooting steps would be greatly appreciated. If there are any specific logs or configurations you need me to provide, please let me know, and I will be happy to assist.

Thank you for your support.

Answer 1

Hi Zubair Siddiqui,

thank you for posting your question, it's exactly the same issue we had.
It's a shame how "husnian ch" was answering your question - he/she (?) didn't even picked up your context.

Anyway, after some research we found out that Windows Server (which runs the Azure Infrastructure if not linux is used) can't understand the p12/pfx content because of algorithm issues.

We re-encoded the p12/pfx file as described here: https://kb.globalscape.com/Knowledgebase/11040/Converting-an-Incompatible-PKCS12-Format-File-to-a-Compatible-PKCS12, found by SO: https://stackoverflow.com/a/73969568/660428

openssl pkcs12 -in prod.p12 -inkey prod.pem -out new_prod.pem
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in new_prod.pem -out new_prod.p12

Depending on your setup you might use passwords in the new export.

In addition to that we had a follow-up issue that the certificate, even if the initialization works, can't be used for http calls with the message "Can't establish SSL connection".

The reason to that was that the certificate is initialized with the default certificate storage, which is the User. Because the process is executed in a non-user context (system context) the store is not available.

Changing this to the machine storage solved that problem as well.

new X509Certificate2(Path, (string?)null, X509KeyStorageFlags.MachineKeySet); 

I hope this might help you - at least this answer address your context :)