Hi, there!
My application is developed in ASP.NET Core 6 (.NET 6) and it is running on a Azure AppService instance, running Windows. I need it to communicate in HTTPS with another application in the Internet - also hosted in Azure - that requires my application to attach a certificate in the requests (MTLS).
It is working on my development computer (Windows 10), but it does not when deployed it the App Service.
In my development computer:
- I added the
.pfx
certificate they provided me in the Certificate Store of Windows because it did not work loading the certificate as a file. It worked adding it into the User Store, and setting the key as exportable. This is how I am using it locally;
- The certificate is provided when the HTTP client responsible of this communication is injected during the startup, as the following:
services.AddHttpClient<IIntegrationClient, IntegrationClient>()
.ConfigurePrimaryHttpMessageHandler(() =>
{
using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser, OpenFlags.ReadOnly);
var certificate = store.Certificates
.Find(X509FindType.FindByThumbprint, "<THUMBPRINT>", false)
.First();
var handler = new HttpClientHandler();
handler.ClientCertificates.Add(certificate);
return handler;
});
It works as expected.
In the Azure App Service:
- I imported the certificate using the option Certificates > Bring your own certificates (.pfx) wih its password. It is shown with a green checkmark and marked as "No Action needed";
- As recommended by the documentation, I registered a application setting named
WEBSITE_LOAD_CERTIFICATES
with value *
. I developed an experimental endpoint to check if the application can access the certificate when finding it by the thumbprint and it is happening as expected
However, it does not work. The request is sent (no exceptions are thrown), but I receive the following response:
<html>
<head>
<title>400 The SSL certificate error</title>
</head>
<body>
<center>400 Bad Request</center>
<center>The SSL certificate error</center>
<center>Microsoft-Azure-Application-Gateway/v2</center>
</body>
</html>
I also tried to:
- Load the certificate as a file, via
new X509Certificate2(path + "certificate.pfx", "<PASSWORD>", X509KeyStorageFlags.MachineKeySet)
as PFX or X509Certificate2.CreateFromPemFile(path + "certificate.pem", path + "certificate.key")
as PEM
But it does not work as well.
Thanks in advance.
Best regards.