Geek Answers Handbook

Failed to load certificate instance from Azure Worker role

I have an Azure Worker role that I want to call a Management Service (for example, a REST API) and collect information about related services. However, when I try to upload my certificate, it does not find it. Here are the steps I followed:

1. I created a certificate using MakeCert and registered it as my management certificate through the portal

makecert -r -pe -a sha1 -n "CN = MyCnName" -ss My -len 2048 -sp "Microsoft Enhanced RSA and AES Cryptographic Provider" -sy 24 MyCert.cer

2. Installed the certificate on my local computer, and everything works fine. When running the worker role locally, I can call the management service without problems.

3. Exported the certificate from my computer and registered the exported certificate to the target Hosted Service through the portal

4. The expanded role. When the role starts, it cannot find the certificate.

Here is an excerpt from the code I use to find the certificate.

// Open the certificate store for the current user. var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); // I also tried localmachine certStore.Open(OpenFlags.ReadOnly); // Find the certificate with the specified subject. X509Certificate2Collection certCollection = certStore.Certificates.Find( X509FindType.FindBySubjectName, _myConfiguration.SubjectName, false); if (certCollection == null || certCollection.Count < 1) { // Find the certificate with the specified thumbprint. certCollection = certStore.Certificates.Find( X509FindType.FindByThumbprint, _myConfiguration.ThumbPrint, false); } // Close the certificate store. certStore.Close(); // Check to see if a matching certificate was found. if (certCollection.Count == 0) { _logger.Warn("No certificate found"); }

There is no exception, only no certificate was found. Can anyone shed some light on what I need to do?

+4
source share
2 answers

I found out the problem ... In addition to configuring the certificate on the portal, I needed to add certificate information (for example, name, store and print) to the Azure project role parameters under the Certificates tab.

+8
source

I have a similar problem for a web role, I applied a workaround.

  • Remote Desktop Connection to a virtual machine where the service and certificate are deployed
  • List item
  • Copy your certificate or pfx to your VM virtual local disk (e.g. C :)
  • Click on your pfx or .cert file and install it in the specific Trusted People certificate store).
  • Launch the service, even if you are configured to search on another store that you will find with trusted people.

I do not know why my web role is trying to find a certificate in this place if I force it to search in the "My Store", but the search method retrieves information from the store of trusted people.

The problem with this workaround is when you delete the deployment, the certificate and any other configuration will be deleted.

This piece of code may give you some information:

 //the certificate must be in the Trusted People Store X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); try { store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly); //Commented //Get the first available match from cert store //X509Certificate2 cert = store.Certificates.Find(X509FindType.FindBySubjectName, // subjectname, // false) // .Cast<X509Certificate2>() // .FirstOrDefault(); X509Certificate2 cert = new X509Certificate2(); foreach (var ct in store.Certificates) { //Logger.TraceInformation(string.Format("Cert found: Subject {0} Tumbprt:{1}", ct.FriendlyName, ct.Thumbprint)); if (ct.SubjectName.Name.ToString().Contains("*.certnamexx.extensionxx")) { return new X509SecurityToken(ct); } } }
0
source

More articles: