stackoom
  简体   繁体   中英

Loading X509Certificate from Azure KeyVault

 原文  2018-01-26 13:57:57       c#/ azure/ x509certificate/ azure-keyvault

Question

We have a web application hosted in Azure that we use to load certificates from KeyVault to be used for encryption and authentication with other services. After reading the value from KeyVault, we're creating the certificate like this: 

return new X509Certificate2(Convert.FromBase64String(secret.Value), string.Empty,
                    X509KeyStorageFlags.MachineKeySet |
                    X509KeyStorageFlags.PersistKeySet |
                    X509KeyStorageFlags.Exportable);

We've been seeing a lot of errors about "Keyset does not exist" and "The request was aborted: Could not create SSL/TLS secure channel".

I suspect this is because it's persisting the private key to disk (C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys), which is causing an issue when trying to read it again, since it's a shared hosting environment and we don't fully own the machine.

Is there a proper way to do this? I've seen references to using the certificate store, but I'm not too sure how that ties in with getting the certificate from KeyVault.

2 answers

solution1
 2  2018-05-31 13:51:19

I think a better solution is to use Managed Service Identity(MSI) if applicable. The MSI feature will create a service principal in Azure AD to represent the identity of the service/VM. And assign this service principal property role or permission in the key-vault, which can be done via creating a new access policy in the "Setting -> Access policies" section in key-vault. The service principal should be same as the service name. This name can be different if create via powershell.

After the MSI setting, a cert or secret can be uploaded into key-vault and accessed in the service.

solution2
 0 ACCPTED  2018-01-29 02:39:42

Is there a proper way to do this? I've seen references to using the certificate store, but I'm not too sure how that ties in with getting the certificate from KeyVault.

In your case, it seems that you just load the cert from keyvault, but the certificate is not deployed to the Azure WebApp. About how to deploy Azure Web App Certificate through Key Vault, you could get the detail steps from this blog .

The easiest way using the cert in the Azure WebApp is that you could upload the pfx file to the Azure WebApp from Azure portal and add an app setting called WEBSITE_LOAD_CERTIFICATES and set its value to the thumbprint of the certificate. But there is no relationship with KeyVault .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question X509Certificate and XmlDsig Duplicated X509Certificate Revoked X509Certificate Export private key from X509Certificate object Generating a CSR from a CngKey or X509Certificate(2) instance How to get the X509Certificate from a client request Sign a pdf with x509certificate from current user store Get X509 Certificate WITH PRIVATE KEY from Azure Keyvault c# Extract public key from an XML file with X509certificate? X509Certificate2 to X509Certificate on Windows Phone 8
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM