在使用App Service服务部署业务应用，因为有些第三方的接口需要调用者携带TLS/SSL证书(X509 Certificate)，在官方文档中介绍了两种方式在代码中使用证书：

1） 直接使用证书文件路径加载证书

2） 从系统的证书库中通过指纹加载证书

本文中，将分别通过代码来验证以上两种方式.

第一步：使用PowerShell创建自签名证书

参考文档 : 生成自签名证书概述 https://learn.microsoft.com/zh-cn/dotnet/core/additional-tools/self-signed-certificates-guide#with-powershell

$cert = New-SelfSignedCertificate -DnsName @("mytest.com", "www.mytest.com") -CertStoreLocation "cert:\LocalMachine\My"

$certKeyPath = 'C:\MyWorkPlace\Tools\scerts\mytest.com.pfx' $password = ConvertTo-SecureString 'password' -AsPlainText -Force $cert | Export-PfxCertificate -FilePath $certKeyPath -Password $password

$rootCert = $(Import-PfxCertificate -FilePath $certKeyPath -CertStoreLocation 'Cert:\LocalMachine\Root' -Password $password) 

注意：

• 需要使用Administrator模式打开PowerShell窗口

• DnsName, CertKeyPath和 password的内容都可根据需求进行调整

  
  
  image.png

第二步：准备两种读取证书的 .NET代码

方式一：通过证书文件名和密码读取加载证书

  public static string LoadPfx(string? filename, string password = "")
    { try { if (filename == null) filename = "contoso.com.pfx"; var bytes = File.ReadAllBytes(filename); var cert = new X509Certificate2(bytes, password); return cert.ToString();
        } catch (Exception ex)
        { return ex.Message;
        }
}

方式二：通过指纹在系统证书库中查找证书

  public static string FindPfx(string certThumbprint = "")
   { try { bool validOnly = false; using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
           {
               certStore.Open(OpenFlags.ReadOnly);
               X509Certificate2Collection certCollection = certStore.Certificates.Find(
                                           X509FindType.FindByThumbprint, // Replace below with your certificate's thumbprint certThumbprint,
                                           validOnly); // Get the first cert with the thumbprint X509Certificate2 cert = certCollection.OfType<X509Certificate2>().FirstOrDefault(); if (cert is null) throw new Exception($"Certificate with thumbprint {certThumbprint} was not found"); return cert.ToString();
           }
       } catch (Exception ex) { return ex.Message; }
   } 

在本次实验中，通过API来调用以上 LoadPfx 和 FindPfx 方法

image.png

第三步：发布测试应用到Azure App Service

步骤参考发布 Web 应用：https://docs.azure.cn/zh-cn/app-service/quickstart-dotnetcore?tabs=net70&pivots=development-environment-vs#2-publish-your-web-app

image.png

第四步：测试接口并修复问题

通过文件方式读取证书内容，测试成功

image.png

但是，通过指纹查找的时候，却返回无法找到证书。

Certificate with thumbprint 5A1E7923F5638549F4BA3E29EEDBBDCB2E9B572E was not found

这是原因有两种：

1）证书没有添加到App Service的Certificates中。

2）需要在App Service的Configuration中添加配置WEBSITE_LOAD_CERTIFICATES参数，值为 * 或者是固定的 证书指纹值。

image.png

检查以上两点原因后，再次通过指纹方式查找证书。成功！

image.png

示例代码

using Microsoft.AspNetCore.Mvc;
using System.Security.Cryptography.X509Certificates;

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.

var app = builder.Build();

// Configure the HTTP request pipeline.

app.UseHttpsRedirection();


app.MapGet("/loadpfxbyname", ([FromQuery(Name = "name")] string filename, [FromQuery(Name = "pwd")] string pwd) =>
{
    var content = pfxTesting.LoadPfx(filename, pwd);
    return content;
});

app.MapGet("/loadpfx/{pwd}", (string pwd) =>
{

    var content = pfxTesting.LoadPfx(null, pwd);
    return content;
});

app.MapGet("/findpfx/{certThumbprint}", (string certThumbprint) =>
{

    var content = pfxTesting.FindPfx(certThumbprint);
    return content;
});

app.Run();

class pfxTesting
{
    public static string LoadPfx(string? filename, string password = "")
    {
        try
        {
            if (filename == null) filename = "contoso.com.pfx";

            var bytes = File.ReadAllBytes(filename);
            var cert = new X509Certificate2(bytes, password);

            return cert.ToString();
        }
        catch (Exception ex)
        {
            return ex.Message;
        }
    }

    public static string FindPfx(string certThumbprint = "")
    {
        try
        {
            bool validOnly = false;
            using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
            {
                certStore.Open(OpenFlags.ReadOnly);

                X509Certificate2Collection certCollection = certStore.Certificates.Find(
                                            X509FindType.FindByThumbprint,
                                            // Replace below with your certificate's thumbprint
                                            certThumbprint,
                                            validOnly);
                // Get the first cert with the thumbprint
                X509Certificate2 cert = certCollection.OfType<X509Certificate2>().FirstOrDefault();

                if (cert is null)
                    throw new Exception($"Certificate with thumbprint {certThumbprint} was not found");

                return cert.ToString();

            }
        }
        catch (Exception ex) { return ex.Message; }
    }
}

参考资料

发布 Web 应用：https://docs.azure.cn/zh-cn/app-service/quickstart-dotnetcore?tabs=net70&pivots=development-environment-vs#2-publish-your-web-app

生成自签名证书概述 https://learn.microsoft.com/zh-cn/dotnet/core/additional-tools/self-signed-certificates-guide#with-powershell

在 Azure 应用服务中通过代码使用 TLS/SSL 证书 ： https://docs.azure.cn/zh-cn/app-service/configure-ssl-certificate-in-code#load-certificate-from-file

[END]

当在复杂的环境中面临问题，格物之道需：浊而静之徐清，安以动之徐生。 云中，恰是如此!