Hi @Marley Gray I'm glad that you were able to resolve your issue.
Thanks for taking time to share a detailed answer of your solution so that others experiencing the same thing can easily reference this!
Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept" the answer.
Issue:
- You had an issue with your ASP.NET Core 8 Web API application when you tried to load certificates. Despite having the environment variable
WEBSITE_LOAD_CERTIFICATES
set with the thumbprints or*
, the application threw aSystem.Security.Cryptography.CryptographicException: Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores
. - This issue persisted regardless of whether the application is deployed using Docker or .zip.
- You had another web application that uses certificates in the same manner and worked fine
Solution:
- Ultimately, loading the certificates directly from AKS instead of having them injected into the container by the App Service resolved your issue
- You wrote an AKS provider that used DefaultAzureCredentials to fetch the same certificates you uploaded which helped to resolve the issue:
...
options.AddEncryptionCertificate(AksConfigurationProvider.GetEncryptionCertFromAks());
...
private static X509Certificate2 GetCertFromAks(string certName)
{
var client = new CertificateClient(vaultUri: new Uri(AksUri),
credential: new DefaultAzureCredential());
var certificate = client.DownloadCertificate(certName);
return certificate;
}