【Azure App Service】.NET代码实验App Service应用中获取TLS/SSL 证书 (App Service Windows)

在使用App Service服务部署业务应用，因为有些第三方的接口需要调用者携带TLS/SSL证书(X509 Certificate)，在官方文档中介绍了两种方式在代码中使用证书：

1） 直接使用证书文件路径加载证书

2） 从系统的证书库中通过指纹加载证书

本文中，将分别通过代码来验证以上两种方式.

 

第一步：使用PowerShell创建自签名证书

参考文档 : 生成自签名证书概述  https://learn.microsoft.com/zh-cn/dotnet/core/additional-tools/self-signed-certificates-guide#with-powershell

$cert = New-SelfSignedCertificate -DnsName @("mytest.com", "www.mytest.com") -CertStoreLocation "cert:LocalMachineMy"  $certKeyPath = 'C:MyWorkPlaceToolsscertsmytest.com.pfx'  $password = ConvertTo-SecureString 'password' -AsPlainText -Force  $cert | Export-PfxCertificate -FilePath $certKeyPath -Password $password  $rootCert = $(Import-PfxCertificate -FilePath $certKeyPath -CertStoreLocation 'Cert:LocalMachineRoot' -Password $password) 

注意：

• 需要使用Administrator模式打开PowerShell窗口
• DnsName, CertKeyPath和 password的内容都可根据需求进行调整

 

 

第二步：准备两种读取证书的 .NET代码

方式一：通过证书文件名和密码读取加载证书

    public static string LoadPfx(string? filename, string password = "")     {         try         {             if (filename == null) filename = "contoso.com.pfx";              var bytes = File.ReadAllBytes(filename);             var cert = new X509Certificate2(bytes, password);             return cert.ToString();         }         catch (Exception ex)         {             return ex.Message;         } }

 

方式二：通过指纹在系统证书库中查找证书

   public static string FindPfx(string certThumbprint = "")    {        try        {            bool validOnly = false;            using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))            {                certStore.Open(OpenFlags.ReadOnly);                X509Certificate2Collection certCollection = certStore.Certificates.Find(                                            X509FindType.FindByThumbprint,                                            // Replace below with your certificate's thumbprint                                            certThumbprint,                                            validOnly);                 // Get the first cert with the thumbprint                X509Certificate2 cert = certCollection.OfType<X509Certificate2>().FirstOrDefault();                 if (cert is null)                throw new Exception($"Certificate with thumbprint {certThumbprint} was not found");                return cert.ToString();            }        }        catch (Exception ex) { return ex.Message; }    } 

在本次实验中，通过API来调用以上 LoadPfx 和 FindPfx 方法

 

 

第三步：发布测试应用到Azure App Service

步骤参考发布 Web 应用：https://docs.azure.cn/zh-cn/app-service/quickstart-dotnetcore?tabs=net70&pivots=development-environment-vs#2-publish-your-web-app

 

第四步：测试接口并修复问题

通过文件方式读取证书内容，测试成功

但是，通过指纹查找的时候，却返回无法找到证书。

Certificate with thumbprint 5A1E7923F5638549F4BA3E29EEDBBDCB2E9B572E was not found

这是原因有两种：

1）证书没有添加到App Service的Certificates中。

2）需要在App Service的Configuration中添加配置WEBSITE_LOAD_CERTIFICATES参数，值为 * 或者是固定的 证书指纹值。

检查以上两点原因后，再次通过指纹方式查找证书。成功！

示例代码

using Microsoft.AspNetCore.Mvc;  2 using System.Security.Cryptography.X509Certificates;  3   4 var builder = WebApplication.CreateBuilder(args);  5   6 // Add services to the container.  7   8 var app = builder.Build();  9  10 // Configure the HTTP request pipeline. 11  12 app.UseHttpsRedirection(); 13  14  15 app.MapGet("/loadpfxbyname", ([FromQuery(Name = "name")] string filename, [FromQuery(Name = "pwd")] string pwd) => 16 { 17     var content = pfxTesting.LoadPfx(filename, pwd); 18     return content; 19 }); 20  21 app.MapGet("/loadpfx/{pwd}", (string pwd) => 22 { 23  24     var content = pfxTesting.LoadPfx(null, pwd); 25     return content; 26 }); 27  28 app.MapGet("/findpfx/{certThumbprint}", (string certThumbprint) => 29 { 30  31     var content = pfxTesting.FindPfx(certThumbprint); 32     return content; 33 }); 34  35 app.Run(); 36  37 class pfxTesting 38 { 39     public static string LoadPfx(string? filename, string password = "") 40     { 41         try 42         { 43             if (filename == null) filename = "contoso.com.pfx"; 44  45             var bytes = File.ReadAllBytes(filename); 46             var cert = new X509Certificate2(bytes, password); 47  48             return cert.ToString(); 49         } 50         catch (Exception ex) 51         { 52             return ex.Message; 53         } 54     } 55  56     public static string FindPfx(string certThumbprint = "") 57     { 58         try 59         { 60             bool validOnly = false; 61             using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser)) 62             { 63                 certStore.Open(OpenFlags.ReadOnly); 64  65                 X509Certificate2Collection certCollection = certStore.Certificates.Find( 66                                             X509FindType.FindByThumbprint, 67                                             // Replace below with your certificate's thumbprint 68                                             certThumbprint, 69                                             validOnly); 70                 // Get the first cert with the thumbprint 71                 X509Certificate2 cert = certCollection.OfType<X509Certificate2>().FirstOrDefault(); 72  73                 if (cert is null) 74                     throw new Exception($"Certificate with thumbprint {certThumbprint} was not found"); 75  76                 return cert.ToString(); 77  78             } 79         } 80         catch (Exception ex) { return ex.Message; } 81     } 82 }

 

参考资料

发布 Web 应用：https://docs.azure.cn/zh-cn/app-service/quickstart-dotnetcore?tabs=net70&pivots=development-environment-vs#2-publish-your-web-app

生成自签名证书概述  https://learn.microsoft.com/zh-cn/dotnet/core/additional-tools/self-signed-certificates-guide#with-powershell

在 Azure 应用服务中通过代码使用 TLS/SSL 证书 ： https://docs.azure.cn/zh-cn/app-service/configure-ssl-certificate-in-code#load-certificate-from-file

 

[END]