How to successfully attach a request TLS certificate on a HTTP Request on ASP.NET Core 6 in Azure?

Marco de Melo Vidal 25 Reputation points
2023-07-18T21:06:32.46+00:00

Hi, there!

My application is developed in ASP.NET Core 6 (.NET 6) and it is running on a Azure AppService instance, running Windows. I need it to communicate in HTTPS with another application in the Internet - also hosted in Azure - that requires my application to attach a certificate in the requests (MTLS).

It is working on my development computer (Windows 10), but it does not when deployed it the App Service.

In my development computer:

  • I added the .pfx certificate they provided me in the Certificate Store of Windows because it did not work loading the certificate as a file. It worked adding it into the User Store, and setting the key as exportable. This is how I am using it locally;
  • The certificate is provided when the HTTP client responsible of this communication is injected during the startup, as the following:
services.AddHttpClient<IIntegrationClient, IntegrationClient>()
	.ConfigurePrimaryHttpMessageHandler(() =>
	{
		using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser, OpenFlags.ReadOnly);
		var certificate = store.Certificates
			.Find(X509FindType.FindByThumbprint, "<THUMBPRINT>", false)
			.First();

		var handler = new HttpClientHandler();
		handler.ClientCertificates.Add(certificate);

		return handler;
	});

It works as expected.

In the Azure App Service:

  • I imported the certificate using the option Certificates > Bring your own certificates (.pfx) wih its password. It is shown with a green checkmark and marked as "No Action needed";
  • As recommended by the documentation, I registered a application setting named WEBSITE_LOAD_CERTIFICATES with value * . I developed an experimental endpoint to check if the application can access the certificate when finding it by the thumbprint and it is happening as expected

However, it does not work. The request is sent (no exceptions are thrown), but I receive the following response:

<html>
	<head>
		<title>400 The SSL certificate error</title>
	</head>
	<body>
		<center>400 Bad Request</center>
		<center>The SSL certificate error</center>
		<center>Microsoft-Azure-Application-Gateway/v2</center>
	</body>
</html>

I also tried to:

  • Load the certificate as a file, via new X509Certificate2(path + "certificate.pfx", "<PASSWORD>", X509KeyStorageFlags.MachineKeySet) as PFX or X509Certificate2.CreateFromPemFile(path + "certificate.pem", path + "certificate.key") as PEM

But it does not work as well.

Thanks in advance.

Best regards.

Developer technologies | ASP.NET | ASP.NET Core
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,953 questions
Developer technologies | .NET | Other
0 comments No comments
{count} vote

Accepted answer
  1. Konstantinos Passadis 19,586 Reputation points MVP
    2023-07-18T21:19:28.88+00:00

    Hello @Marco de Melo Vidal !

    Welcome to Microsoft QnA!

    Please see here : From ( https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code)

    Load certificate in Windows apps

    The WEBSITE_LOAD_CERTIFICATES app setting makes the specified certificates accessible to your Windows hosted app in the Windows certificate store, in Current User\My.

    So in your case :

    So, you have to adjust the StoreLocation to CurrentUser as you did in your development environment.

    Also :

    You need to specify the X509KeyStorageFlags flag Exportable when loading the certificate to allow the private key of this certificate to be exported.


    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.