上传到Azure网站时,不在X509Store中的SSL证书
[英]SSL Certificate not in X509Store when uploaded to Azure Website
问题描述
I have installed a .pfx to my Azure website using the management portal upload certificate. 
我使用管理门户上载证书将.pfx安装到我的Azure网站。
I am now trying to access them using the code below: 我现在正尝试使用以下代码访问它们:
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
certificateStore.Open(OpenFlags.ReadOnly);
var certificates = certificateStore.Certificates;
StringBuilder sb = new StringBuilder();
foreach (var certificate in certificates)
{
sb.AppendLine(certificate.Subject);
}
When published to Azure, a bunch of certificates are listed but not the one that one that I have uploaded. 发布到Azure时,会列出一堆证书,但不会列出我上传的证书。
The certificates listed are here: 列出的证书在这里:
CN=WW.azurewebsites.windows.net, OU=CIS(RD), O=Microsoft
CN=FullOSTransport
CN=client.geo.to.stamp.azurewebsites.windows.net
CN=ma.waws-prod-am2-005.azurewebsites.windows.net, OU=OrganizationName, O=Microsoft,
L=Redmond, S=WA, C=US
CN=FullOSTransport
CN=FullOSTransport
I purchased the certificate from Verisign and it appears to be uploaded correctly and does appear in the 'HTTPS' bar in the browser (in Chrome). 我从Verisign购买了证书,它似乎已正确上传,并且显示在浏览器的“HTTPS”栏中(在Chrome中)。
Any help would be really appreciated as I'm at a loss here. 任何帮助都会非常感激,因为我在这里不知所措。
Update 更新
It looks like we would need to convert to a Cloud Service for the above code to work. 看起来我们需要转换为Cloud Service才能使上述代码正常工作。 But can I add the certificates to my app_data folder as suggested here? 但我可以按照此处的建议将证书添加到我的app_data文件夹吗?
http://blog.tylerdoerksen.ca/2015/11/29/pfx-certificate-files-and-azure-web-apps/ http://blog.tylerdoerksen.ca/2015/11/29/pfx-certificate-files-and-azure-web-apps/
This seems to work for Azure-Websites without the use of web roles. 这似乎适用于Azure-Websites而不使用Web角色。
Thanks 谢谢
2 个解决方案
解决方案1
8 2016-01-11 10:29:59
I have faced the similar issue, below is the solution that worked for me. 我遇到过类似的问题,下面是适合我的解决方案。
Solution: 解:
once you have uploaded your certificate through the Azure portal you need to add an appsetting (also through the portal) called WEBSITE_LOAD_CERTIFICATES and set the value for this to the thumbprint of your uploaded certificate. 一旦您通过Azure门户上传了证书,您需要添加名为WEBSITE_LOAD_CERTIFICATES的appsetting(也通过门户网站),并将此值设置为您上载的证书的指纹。 This can be a comma separated list of multiple thumbprints if you want, or even * to load all your uploaded certificates 如果您愿意,这可以是以逗号分隔的多个指纹列表,甚至*可以加载所有上传的证书
Then load ur certificate using the below code. 然后使用以下代码加载您的证书。
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var certs = store.Certificates.Find(X509FindType.FindByThumbprint, YOUR_THUMBPRINT, false);
解决方案2
2 2014-06-11 17:20:45
I have installed a .pfx to my Azure website using the management portal upload certificate.
I recently had to go through this process for an Azure Web Site so these are the things I would try in this order to save the time. 我最近不得不为Azure网站完成这个过程,所以这些是我为了节省时间而尝试的顺序。
What you can do to debug? 您可以做什么来调试?
First, remote into the machine and find whether the certificate exists there. 首先,远程进入机器并查找证书是否存在。 You can find that using mmc.exe and add certificates snap-in. 您可以使用mmc.exe找到并添加证书管理单元。 See here for complete instructions. 请参阅此处获取完整说明。
In the case of an Azure Web Site, you have to enable the remote desktop by going into Azure Management Portal , and then create a session into the VM that has your Web Site deployed. 对于Azure网站,您必须通过进入Azure管理门户启用远程桌面,然后在部署了您的网站的VM中创建会话。
Deploying certificates 部署证书
If certificate does not exist, you will have to deploy it. 如果证书不存在,则必须部署它。 For testing, you could do it manually by going into the VMs using the remote session and importing the certificate. 对于测试,您可以通过使用远程会话进入VM并导入证书来手动执行此操作。
In the case of Web Site, if you want it to be deployed automatically, you will have to update the service definition files for that role to make sure that the certificate will be deployed properly. 对于Web站点,如果您希望自动部署它,则必须更新该角色的服务定义文件 ,以确保正确部署证书。 Also, keep in mind that your certificate should be uploaded as a "Service Certificate" and not a "Management Certificate" if you want your roles to be able to use it. 另外,请记住,如果您希望您的角色能够使用证书,则应将您的证书上传为“服务证书”而不是“管理证书”。 If you are using Visual studio, you could also add it to your project and that may deploy it. 如果您使用的是Visual Studio,则还可以将其添加到项目中并进行部署。
Permissions 权限
Additionally, (and especially if you had manually deployed the certificate eg on a VM), you will need to check that IIS has permissions to access the certificate. 此外,(特别是如果您已在VM上手动部署证书),则需要检查IIS是否具有访问证书的权限。 This page here explains deploying certificates and how to give appropriate permissions. 此页面说明了部署证书以及如何提供适当的权限。 If your certificate is included in the deployment package, then this is not necessary as Azure Deployment will take care of it. 如果您的证书包含在部署包中,那么这不是必需的,因为Azure部署将负责处理它。
FYI: It works locally because the certificate already exists in the store your code is looking into, and there's nothing that is going to remove the certificate (unless you do it manually) to verify that if you deployed locally again, the certificate will be deployed again (assuming that your deployment locally and on Azure cloud is exactly the same). 仅供参考:它在本地运行,因为证书已存在于您的代码正在查看的商店中,并且没有任何内容可以删除证书(除非您手动执行)以验证如果再次在本地部署,则将部署证书再次(假设您在本地和Azure云上的部署完全相同)。 In many cases, the local environment and Azure cloud environment can be different (unfortunately), because Azure will provision clean VMs, and everything needs to be deployed properly. 在许多情况下,本地环境和Azure云环境可能不同(不幸的是),因为Azure将提供干净的VM,并且所有内容都需要正确部署。 On the local machines, we have a lot of "leftovers". 在本地机器上,我们有很多“剩菜”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.