I have a console application running on an Azure cloud service VM that need getting a management certificate.
My certificate is loaded on SETTINGS/CERTIFICATE but what should I do next?
I tried something like this:
X509Store certStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
certStore.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates
.Find(X509FindType.FindByThumbprint, certificateThumb, false);
X509Certificate2 certificate = certCollection[0];
Maybe I don't understand how works SETTINGS/CERTIFICATE but I only get an error message saying there are no certificate having this thumbprint.
EDIT: I complete my question.
Is this enough to make a declaration in SETTINGS/CERTIFICATE?
I answer my question.
In fact we have 2 way to use management certificate.
create a publishsetting file with the powershell command get-AzurePublishsettingsFile. The command adds a .cer certificate in management store as well. We just have to deserialize the base 64 certificate found into the file and add it in the credentials
create a certificate with makecert. Load the .cer in the azure management store and the .pfx in the local store from where the client application is installed
some links:
http://www.wadewegner.com/2011/11/programmatically-installing-and-using-your-management-certificate-with-the-new-publishsettings-file/
Related
I have an SSL cert stored in the Web Hosting Folder of the Certificate Store. I cannot seem to be able to access this store from C#. Does anyone know how to do this?
X509Store store = new X509Store("Web Hosting");
store.Open(OpenFlags.ReadOnly);
var t = store.Certificates.GetEnumerator();
while (t.MoveNext())
{
//this is always empty
}
Additional Detail
I need this cert for a gRPC service that I am writing. gRPC requires a certificate for the SSL connection. In the mean time aka development I am using Let's Encrypt to generate the certificate. When the cert was generated the cert was put into the Web Hosting folder of the cert store.
It turns out you can drag and drop the certs to a different location in the cert manager. I relocated the cert to the Personal folder and I was able to access it by:
X509Store store = new X509Store(StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
Try removing the space; e.g., try the name as webhosting (no space)
In PowerShell, to display certs in this store location:
dir cert:\localmachine\webhosting
I hope I can explain this correctly. I inherited a couple of windows applications that need a certificate installed to the local cert store in order to access an Azure Key Vault's Secret to do what the applications do. Currently everything is working correctly. The cert in Azure is set to expire on 10/31/2019.
A new certificate has been created with an expiration in September of 2020.
When I had these applications dumped on me I was give the cert to use but it has a .p12 extension. I can only export the new Azure certificate as .cer or .pfx.
When I install the newly exported cert as either .pfx or .cer the applications fail. If I install the old cert with .p12 extension they work.
Both apps use the code below to get (I think) the local cert that is current via the "Issuer" which is CN = Value. I've checked both the old and new values of "Issuer/CN =" and they are identical.
Does the cert exported in Azure need to have a .p12 extension? If so how do I do that.
If the cert in Azure exported is okay as a .pfx where might my problem(s) be?
C# code in apps that get local cert to in turn gets the necessary Azure secret to do the work:
private static X509Certificate2 ReadCertificateFromStore(string certName)
{
X509Certificate2 cert = null;
try
{
using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = store.Certificates;
// Find unexpired certificates.
X509Certificate2Collection currentCerts = certCollection.Find(X509FindType.FindByTimeValid, DateTime.Now, false);
// From the collection of unexpired certificates, find the ones with the correct name.
X509Certificate2Collection signingCert = currentCerts.Find(X509FindType.FindBySubjectDistinguishedName, certName, false);
// Return the first certificate in the collection, has the right name and is current.
cert = signingCert.OfType<X509Certificate2>().OrderByDescending(c => c.NotBefore).FirstOrDefault();
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return cert;
}
First .p12 as well as .pfx are extension for the PKCS#12 format.
Both apps use the code below to get (I think) the local cert that is current via the "Issuer" which is CN = Value. I've checked both the old and new values of "Issuer/CN =" and they are identical.
Based on your code that is not true
// From the collection of unexpired certificates, find the ones with the correct name.
X509Certificate2Collection signingCert =
currentCerts.Find(X509FindType.FindBySubjectDistinguishedName, certName, false);
It says FindBySubjectDistinguishedName which means that the subject of both certificates need to be exactly the same. Here is an example:
And another one with multiple elements in the subject:
You could also install both certificates and play around to figure the parameters to get the right certificate. I converted parts of your code to PowerShell:
$store =
new-object System.Security.Cryptography.X509Certificates.X509Store( `
[System.Security.Cryptography.X509Certificates.StoreName]::My, `
[System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser);
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly);
$signingCert =
$store.Certificates.Find(
[System.Security.Cryptography.X509Certificates.X509FindType]::FindBySubjectDistinguishedName,
"CN=...", `
$false);
$signingCert
Mystery solved. In addition to installing the certificate on the machines in question you also need to register the cert (.cer portion) in Azure's App Registrations.
how can i install two certificates (pfx with password) during my setup is installing on pc? I need Two certificates located on personal->certificates because desktop program is used for all users on this pc.
I'm using .net 3.5
Thanks.
This below will extract the Public & Private key from the .PFX file and parse it into an X509Certificate2 object (X509Certificate type does not support Private keys and is unable understand V2 & V3 properties). You then pass X509Certificate2 object to the local certificate repository which is currently set to LocalMachine as I'm guessing that's where you want it according to the image you attached.
X509Certificate2 cert = new X509Certificate2(#"C:\key.pfx", "test1234", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet); //Saves in the local machine store - accessible for all users
using (var store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
{
store.Open(OpenFlags.ReadWrite); //Set to Write - You need Admin Permissions
store.Add(cert); //Add Private Cert to Store
}
I recommend that you read this post by Paul Stovell before diving head first as permissions could be nightmare especially within a domain environment (Active Directory).
I am kind of new to certificates and all that stuff.
I have a web application that sends a https request by iframe (it has to be https due to the application itself is also https) to a .NET application running on the client which has an HttpListener listening on https://localhost:[port] so the client app can receive a "do something now" from a browser click.
When I install the client app, I install the *.crt file to the Root-Store and bind it to our port:
X509Certificate2 certificateFromCrtFile = new X509Certificate2(X509Certificate2.CreateFromCertFile(crtPath));
X509Store rootStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
rootStore.Open(OpenFlags.ReadWrite);
rootStore.Add(certificateFromCrtFile);
rootStore.Close();
string crtThumbprint = certificateFromCrtFile.Thumbprint;
string netshParams = string.Format("http add sslcert ipport=0.0.0.0:[port] certhash={0} appid={{{1}}}", crtThumbprint, Guid.NewGuid());
Utilities.StartProcess("netsh.exe", Environment.SystemDirectory, netshParams, true, true);
Now, before that, I have to install the certificate also in the personal store because my "server" in that case is the HttpListener on the same client.
Okay, so I could do it the following way:
X509Certificate2 certificateFromPfxFile = new X509Certificate2(pfxPath, "pwd");
X509Store personalStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
personalStore.Open(OpenFlags.ReadWrite);
personalStore.Add(certificateFromPfxFile);
personalStore.Close();
In this case I have to write the *.pfx password in clear text in code.
And if I understood correctly, with this password you can easily get the private key, right?
When storing in PFX the private key is encrypted with your password. So when you attempt to install it to a personal store to indicate your ownership of this certificate, you have to present the password. That's mandate.
The trusted root authority is different, as you don't own the certificates. You just install the crt files to say that you trust whoever owns them.
I am trying to add a certificate to a web request to connect to Azure services.
My code looks like this:
string certThumbprint = "thumbprint";
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint, certThumbprint, false);
Now I can confirm that the certificate does exist and the thumbprint is correct. However certCollection comes back empty.
Any ideas?
Update: here is how I open the cert store
certStore.Open(OpenFlags.ReadOnly);
You probably have a hidden character or two at the very beginning of your thumbprint. I've made this mistake many times before when copying the thumbprint from the certificate manager in MMC. Here is a link for more information on this issue.
http://support.microsoft.com/kb/2023835
A safe way to get the certificate thumbprints of the Personal Certificates store is to use an elevated instance of PowerShell.
PS C:\> dir cert:LocalMachine\My | select Thumbprint, FriendlyName, Subject
I encountered the same issue today, while it's possible that there are hidden characters before and after the thumbprint it's also possible that if your debugging runs under a different user, the StoreLocation.CurrentUser isn't the same Store as the one you open in Windows.
I had this issue running in Service Fabric on localhost