从Azure KeyVault加载X509证书
[英]Loading X509Certificate from Azure KeyVault
问题描述
We have a web application hosted in Azure that we use to load certificates from KeyVault to be used for encryption and authentication with other services. 
我们在Azure中托管了一个Web应用程序,用于从KeyVault加载证书以用于与其他服务进行加密和身份验证。 After reading the value from KeyVault, we're creating the certificate like this: 从KeyVault读取值后,我们将按照以下方式创建证书:
return new X509Certificate2(Convert.FromBase64String(secret.Value), string.Empty,
X509KeyStorageFlags.MachineKeySet |
X509KeyStorageFlags.PersistKeySet |
X509KeyStorageFlags.Exportable);
We've been seeing a lot of errors about "Keyset does not exist" and "The request was aborted: Could not create SSL/TLS secure channel". 我们已经看到很多有关“密钥集不存在”和“请求已中止:无法创建SSL / TLS安全通道”的错误。
I suspect this is because it's persisting the private key to disk (C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys), which is causing an issue when trying to read it again, since it's a shared hosting environment and we don't fully own the machine. 我怀疑这是因为它会将磁盘的私钥持久化(C:\\ ProgramData \\ Microsoft \\ Crypto \\ RSA \\ MachineKeys),这在尝试再次读取它时会导致问题,因为它是共享的托管环境,我们不会完全拥有机器。
Is there a proper way to do this? 有适当的方法来做到这一点吗? I've seen references to using the certificate store, but I'm not too sure how that ties in with getting the certificate from KeyVault. 我已经看到了有关使用证书存储区的参考,但是我不太确定这与从KeyVault获取证书的关系。
2 个解决方案
解决方案1
2 2018-05-31 13:51:19
I think a better solution is to use Managed Service Identity(MSI) if applicable. 我认为更好的解决方案是使用托管服务标识(MSI)(如果适用)。 The MSI feature will create a service principal in Azure AD to represent the identity of the service/VM. MSI功能将在Azure AD中创建服务主体,以表示服务/ VM的身份。 And assign this service principal property role or permission in the key-vault, which can be done via creating a new access policy in the "Setting -> Access policies" section in key-vault. 并在密钥库中分配此服务主体属性角色或权限,这可以通过在密钥库的“设置->访问策略”部分中创建新的访问策略来完成。 The service principal should be same as the service name. 服务主体应与服务名称相同。 This name can be different if create via powershell. 如果通过powershell创建,则此名称可以不同。
After the MSI setting, a cert or secret can be uploaded into key-vault and accessed in the service. 在设置MSI之后,可以将证书或机密上传到密钥库中并在服务中进行访问。
解决方案2
0 已采纳 2018-01-29 02:39:42
Is there a proper way to do this?
In your case, it seems that you just load the cert from keyvault, but the certificate is not deployed to the Azure WebApp. 在您的情况下,您似乎只是从keyvault加载了证书,但是该证书没有部署到Azure WebApp。 About how to deploy Azure Web App Certificate through Key Vault, you could get the detail steps from this blog . 关于如何通过Key Vault部署Azure Web App证书,您可以从此Blog中获取详细步骤。
The easiest way using the cert in the Azure WebApp is that you could upload the pfx file to the Azure WebApp from Azure portal and add an app setting called WEBSITE_LOAD_CERTIFICATES and set its value to the thumbprint of the certificate. 在Azure WebApp中使用证书的最简单方法是,可以将pfx文件从Azure门户上载到Azure WebApp ,并添加名为WEBSITE_LOAD_CERTIFICATES的应用程序设置,并将其值设置为证书的指纹。 But there is no relationship with KeyVault . 但是与KeyVault没有关系 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.