【Azure App Service】.NET代码实验App Service应用中获取TLS/SSL 证书 (App Service Windows)

在使用App Service服务部署业务应用，因为有些第三方的接口需要调用者携带TLS/SSL证书(X509 Certificate)，在官方文档中介绍了两种方式在代码中使用证书：

1） 直接使用证书文件路径加载证书

2） 从系统的证书库中通过指纹加载证书

本文中，将分别通过代码来验证以上两种方式.

第一步：使用PowerShell创建自签名证书

参考文档 : 生成自签名证书概述  https://learn.microsoft.com/zh-cn/dotnet/core/additional-tools/self-signed-certificates-guide#with-powershell

$cert = New-SelfSignedCertificate -DnsName @("mytest.com", "www.mytest.com") -CertStoreLocation "cert:\LocalMachine\My"

$certKeyPath = 'C:\MyWorkPlace\Tools\scerts\mytest.com.pfx'

$password = ConvertTo-SecureString 'password' -AsPlainText -Force

$cert | Export-PfxCertificate -FilePath $certKeyPath -Password $password

$rootCert = $(Import-PfxCertificate -FilePath $certKeyPath -CertStoreLocation 'Cert:\LocalMachine\Root' -Password $password)

注意：

• 需要使用Administrator模式打开PowerShell窗口
• DnsName, CertKeyPath和 password的内容都可根据需求进行调整

第二步：准备两种读取证书的 .NET代码

方式一：通过证书文件名和密码读取加载证书

    public static string LoadPfx(string? filename, string password = "")
    {
        try
        {
            if (filename == null) filename = "contoso.com.pfx";

            var bytes = File.ReadAllBytes(filename);
            var cert = new X509Certificate2(bytes, password);
            return cert.ToString();
        }
        catch (Exception ex)
        {
            return ex.Message;
        }
}

方式二：通过指纹在系统证书库中查找证书

   public static string FindPfx(string certThumbprint = "")
   {
       try
       {
           bool validOnly = false;
           using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
           {
               certStore.Open(OpenFlags.ReadOnly);
               X509Certificate2Collection certCollection = certStore.Certificates.Find(
                                           X509FindType.FindByThumbprint,
                                           // Replace below with your certificate's thumbprint
                                           certThumbprint,
                                           validOnly);

               // Get the first cert with the thumbprint
               X509Certificate2 cert = certCollection.OfType<X509Certificate2>().FirstOrDefault();

               if (cert is null)
               throw new Exception($"Certificate with thumbprint {certThumbprint} was not found");
               return cert.ToString();
           }
       }
       catch (Exception ex) { return ex.Message; }
   } 

在本次实验中，通过API来调用以上 LoadPfx 和 FindPfx 方法

第三步：发布测试应用到Azure App Service

步骤参考发布 Web 应用：https://docs.azure.cn/zh-cn/app-service/quickstart-dotnetcore?tabs=net70&pivots=development-environment-vs#2-publish-your-web-app

第四步：测试接口并修复问题

通过文件方式读取证书内容，测试成功

但是，通过指纹查找的时候，却返回无法找到证书。

Certificate with thumbprint 5A1E7923F5638549F4BA3E29EEDBBDCB2E9B572E was not found

这是原因有两种：

1）证书没有添加到App Service的Certificates中。

2）需要在App Service的Configuration中添加配置WEBSITE_LOAD_CERTIFICATES参数，值为 * 或者是固定的 证书指纹值。

检查以上两点原因后，再次通过指纹方式查找证书。成功！

示例代码

 1 using Microsoft.AspNetCore.Mvc;
 2 using System.Security.Cryptography.X509Certificates;
 3
 4 var builder = WebApplication.CreateBuilder(args);
 5
 6 // Add services to the container.
 7
 8 var app = builder.Build();
 9
10 // Configure the HTTP request pipeline.
11
12 app.UseHttpsRedirection();
13
14
15 app.MapGet("/loadpfxbyname", ([FromQuery(Name = "name")] string filename, [FromQuery(Name = "pwd")] string pwd) =>
16 {
17     var content = pfxTesting.LoadPfx(filename, pwd);
18     return content;
19 });
20
21 app.MapGet("/loadpfx/{pwd}", (string pwd) =>
22 {
23
24     var content = pfxTesting.LoadPfx(null, pwd);
25     return content;
26 });
27
28 app.MapGet("/findpfx/{certThumbprint}", (string certThumbprint) =>
29 {
30
31     var content = pfxTesting.FindPfx(certThumbprint);
32     return content;
33 });
34
35 app.Run();
36
37 class pfxTesting
38 {
39     public static string LoadPfx(string? filename, string password = "")
40     {
41         try
42         {
43             if (filename == null) filename = "contoso.com.pfx";
44
45             var bytes = File.ReadAllBytes(filename);
46             var cert = new X509Certificate2(bytes, password);
47
48             return cert.ToString();
49         }
50         catch (Exception ex)
51         {
52             return ex.Message;
53         }
54     }
55
56     public static string FindPfx(string certThumbprint = "")
57     {
58         try
59         {
60             bool validOnly = false;
61             using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
62             {
63                 certStore.Open(OpenFlags.ReadOnly);
64
65                 X509Certificate2Collection certCollection = certStore.Certificates.Find(
66                                             X509FindType.FindByThumbprint,
67                                             // Replace below with your certificate's thumbprint
68                                             certThumbprint,
69                                             validOnly);
70                 // Get the first cert with the thumbprint
71                 X509Certificate2 cert = certCollection.OfType<X509Certificate2>().FirstOrDefault();
72
73                 if (cert is null)
74                     throw new Exception($"Certificate with thumbprint {certThumbprint} was not found");
75
76                 return cert.ToString();
77
78             }
79         }
80         catch (Exception ex) { return ex.Message; }
81     }
82 }

参考资料

发布 Web 应用：https://docs.azure.cn/zh-cn/app-service/quickstart-dotnetcore?tabs=net70&pivots=development-environment-vs#2-publish-your-web-app

生成自签名证书概述  https://learn.microsoft.com/zh-cn/dotnet/core/additional-tools/self-signed-certificates-guide#with-powershell

在 Azure 应用服务中通过代码使用 TLS/SSL 证书 ： https://docs.azure.cn/zh-cn/app-service/configure-ssl-certificate-in-code#load-certificate-from-file

[END]