Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Question on Certificate.pfx and Azure

See original GitHub issue

I have an ASP.NET Core MVC app running on Azure App Service and the site is using HTTPS and I’d like to use token authentication to protect some of the pages. I’m very new to token auth and openiddict, I read that a JWT token needs to be signed on the server and I see in your MVC sample, there is a Certificate.pfx provided. Should I check this file into the source control and share it with other developers? And could I deploy it as is with my code to Azure or do I need to create a new .pfx file using some code on the fly or manually put it somewhere on the server file system or Azure key vault? I see there is the following code for development purpose, is there an equivalent code snippet for production?

options.AddDevelopmentEncryptionCertificate()
       .AddDevelopmentSigningCertificate();

I’d really appreciate any help and pointers on this. Thank you.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:3
  • Comments:19 (8 by maintainers)

github_iconTop GitHub Comments

3reactions
amrohithcommented, Mar 11, 2021

I am trying to deploy the same in azure app service (Linux). even after adding the thumbprint I am getting the following exception.

System.Security.Cryptography.CryptographicException: The owner of '/home/.dotnet/corefx/cryptography/x509stores/my' is not the current user. at Internal.Cryptography.Pal.DirectoryBasedStoreProvider.EnsureDirectoryPermissions(String path, UInt32 userId) at Internal.Cryptography.Pal.DirectoryBasedStoreProvider.AddCertToStore(ICertificatePal certPal) at Internal.Cryptography.Pal.DirectoryBasedStoreProvider.Add(ICertificatePal certPal) at System.Security.Cryptography.X509Certificates.X509Store.Add(X509Certificate2 certificate) at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate(X500DistinguishedName subject) at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate() at OpeniddictServer.Startup.<>c.<ConfigureServices>b__4_7(OpenIddictServerBuilder options) in C:\OpeniddictServer\Startup.cs:line 123 Can you suggest an approach to solve this issue?

3reactions
kevinchaletcommented, Jun 12, 2020

Should I check this file into the source control and share it with other developers?

Don’t reuse the certificate sample, it would make your application vulnerable.

You have multiple options when it comes to generating/storing certificates/raw keys on Azure:

  • You can generate it locally and upload it via the portal. Set the WEBSITE_LOAD_CERTIFICATES environment variable and use Add*Certificate(string thumbprint) to load it from the X.509 store. It’s the best compromise.

  • You can generate it locally and store it as a .pfx in your repository. For that, use the Add*Certificate() overload accepting an Assembly and a name to load it from the embedded resources. It’s the least interesting option.

  • You can generate the signing/encryption certificates/keys in Azure KeyVault and keep them there. In this case, the tokens will be signed and decrypted by AKV, which offers a very high security level. Sadly, there are strict limits on the number of operations you can do per second, so it’s not really appropriate for public websites. Read https://kevinchalet.com/2017/08/15/using-azure-key-vault-with-asos-and-openiddict/ for more information.

To generate a X.509 certificate locally, you can create a tiny console app and use the new CertificateRequest APIs:

Read more comments on GitHub >

github_iconTop Results From Across the Web

Accessing a client certificate pfx file in Azure
I am doing a web app that is deployed in Azure. I am trying to access a client certificate (a pfx file) that...
Read more >
Importing Azure Key Vault certificates FAQ
Frequently asked questions about Azure Key Vault certificates. ... import operation, Azure Key Vault accepts two certificate file formats: PEM and PFX.
Read more >
Issue with pfx file certificate uploading - Microsoft Q&A
The cert.pfx was created using powershell on my windows 11 pc. When I am uploading the .pfx file to azure, it pops up...
Read more >
Azure App Service Certificate .PFX cannot be exported to . ...
People, I need some help in troubleshooting the SSL certificate issue where after the.PFX conversion to.PEM file using the OpenSSL.
Read more >
Azure Key Vault PFX import not showing correct certificate ...
I have problems with importing certificates into Azure Key Vault. I have created a cert/fullchain/privatekey using Letsencrypt certbot.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Invalid token for access token.

Next page

JWT Token always Invalid