Azure public and private certificate not accessible from web app

Question

I'm fetching data from a third party company and they have given me certificates so I can access their service. When setting up this locally, it worked after installing the .cer and the .pfx into my certificate stores. However I can't get it to work when the code runs on my Azure Web App, it results in error:

Could not establish trust relationship for the SSL/TLS secure channel with authority

I received this particular error locally at first before giving my application pool access to the public root certificate (IIS AppPool\\AppPoolName). It feels like I'm now experiencing the same error on Azure. The code definitely finds the certificates (or else an error would be thrown) but it seems it does not have access to use them.

I've followed this guide to install the certificates in my web app: https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/

I've set the application property to import all certs:

This is the code I'm using to load the private certificate:

var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var certs = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);

if (certs == null || certs.Count == 0)
{
    ExceptionUtils.ThrowDataError("Private certificate could not be found");
}

store.Close();
return certs[0];

I've also tried adding the .pfx to the App_Data folder and loading it like this:

var certPath = HttpContext.Current.Server.MapPath("~/App_Data/cert.pfx");
var bankIdCert = new X509Certificate2(certPath, "password");

But it results in the same error. Maybe that means that the it is not given access to the public certificate? The only difference right now between the working local version and the azure version is:

• Locally, public cert is in store LocalMachine location Root and private in store LocalMachine location My
• On Azure when uploading, both certs goes to CurrentUserMy

Does some certificates require to be on LocalMachine in order to work?

Answer 1

This error may occur if the third-party CA is not being trusted yet. If your web app gives you certificate validation errors, you can try to use a self-signed certificate: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl .

Answer 2

Could not establish trust relationship for the SSL/TLS secure channel with authority

In your case, the most reasons for an SSL certificate validation to fail is:

The hostname used in the URL doesn't match the name that's on certificate. Make sure the URL you're using and the URL on the 'Issued to' field of the certificate are the sam e.

As Swikruti Bose mentioned that you could following Bind an existing custom SSL to custom SSL.

As azure WebApp is the sandbox , we have no access to install the Root CA in the Azure WebApp.

If Azure virtual machine or Cloud Service is possible, you also could use the Azure virtual machine or cloud Service .