Identityserver4: Signature Certificate on Azure
The idsrv4 sample cert worked fine on azure for me and I have generate my self-signed certificate by makecert.exe ,it works fine in local testing ,but on azure i got an 500 error.
Is that the cert problem or i missed some other configuration?
Padmate
All 11 comments
And what do the logs tell you?
brockallen
on 18 Apr 2016
It seems Azure's Error,but azure logs did't tell me any useful informations.
When my code as follow:
var cert = new X509Certificate2(Path.Combine(_environment.ApplicationBasePath, "MySignCA.pfx"),"password1234");
var builder = services.AddIdentityServer(options =>
{
options.SigningCertificate = cert;
});
the Azure server return 500 error.
But when i change the code as follow:
var cert = new X509Certificate2(Path.Combine(_environment.ApplicationBasePath, "MySignCA.pfx"),
"password1234",
X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
var builder = services.AddIdentityServer(options =>
{
options.SigningCertificate = cert;
});
Azure works fine.
So,it my self-signed certificate's problem?
Padmate
on 19 Apr 2016
all set?
leastprivilege
on 20 Jun 2016
I'm using test cert, but it throws me error 500 on azure deployment with following error, even trying with sample copy.
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException
The system cannot find the file specified
at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, string fileName, string password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(string fileName, string password, X509KeyStorageFlags keyStorageFlags)
at hello_2016_01.Startup.ConfigureServices
hmheng
on 24 Jun 2016
I was having the same issue. I didn't fully understand why Azure couldn't read the cert file, but I managed to get it working using Azure's Cert Store. Upload your signing certificate to your azure web app, and reference the generated thumbnail key from your code.
(Azure Portal > Web App > Settings > Custom Domains and SSL > Upload Certificate)
Here is how I load the certificate:
``` C#
public X509Certificate2 LoadCertificate()
{
if (_environment.IsDevelopment())
{
return new X509Certificate2(Path.Combine(_environment.ContentRootPath, "your.development.certificate.pfx"), "secret");
}
else
{
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore
.Certificates
.Find(X509FindType.FindByThumbprint,
"XXXX-XXXX-XXXX-XXXX", // Generated by Azure
false);
if (certCollection.Count > 0)
{
X509Certificate2 cert = certCollection[0];
return cert;
}
certStore.Dispose();
return null;
}
}
``` c#
var builder = ...
var cert = LoadCertificate();
builder.SetSigningCredentials(cert);
Hope that helps.
chrisvfabio
on 24 Jun 2016
Thanks. It works perfectly. =D
I guess I found the problem, it is due to the changes in RC2 directory whereby we must have project.json with "publishOptions" to include the folder "UI" to allow view files and maybe we can have "Certificate" folder to include the signed cert?
I encounter similar issue with my RC2 project, so I created following post, hope it helps:
http://www.cubicurve.com/blog/asp-net-core-r2-files-in-root-path-are-not-included-when-publishing-to-azure
hmheng
on 25 Jun 2016
No problem :)
chrisvfabio
on 25 Jun 2016
@chrisvfabio Are you deploying IdentityServer4 as a windows-based image? I am trying to deploy essentially the same code as you on top of the microsoft/aspnetcore docker image and it's giving me the error: System.PlatformNotSupportedException: Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores.
mikebridge
on 15 Feb 2017
@chrisvfabio, thanks for the script - but I think you are accidentally not disposing certStore in case of success (calling _return_ before _Dispose_). Just put certStore into using:
using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
// the rest of the code...
}
In addition, for those who may hit the same issue as I did - if you want to use it in the Azure Web Apps and you upload the certificate through portal you have to specify in the "Application settings" new setting
WEBSITE_LOAD_CERTIFICATES (and the value is thumbprint of the certificate)
Details:
https://msftplayground.com/2016/11/using-certificates-azure-app-services/
milanio
on 12 Nov 2017
@chrisvfabio where is SetSigningCredentials method from? I can鈥檛 find it anywhere. What is builder instance of?
nukec
on 27 Nov 2017
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 14 Jan 2020
Related issues
leksim
路
3Comments
agilenut
路
3Comments
cixonline
路
3Comments
not-good-with-usernames
路
3Comments
klioqc
路
3Comments
Most helpful comment
I was having the same issue. I didn't fully understand why Azure couldn't read the cert file, but I managed to get it working using Azure's Cert Store. Upload your signing certificate to your azure web app, and reference the generated thumbnail key from your code.
(
Azure Portal > Web App > Settings > Custom Domains and SSL > Upload Certificate)Here is how I load the certificate:
``` C#
public X509Certificate2 LoadCertificate()
{
if (_environment.IsDevelopment())
{
return new X509Certificate2(Path.Combine(_environment.ContentRootPath, "your.development.certificate.pfx"), "secret");
}
else
{
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
}
Hope that helps.