Loading a X509Certificate2 causes a CGI exception on Azure App Service

[ricklove]

I am trying to load a .p12 file into a X509Certificate2 object.

The code runs fine on my local machine.

Whenever, I run the following line on Azure, it crashes the asp.net process with a CGI error:

var certificate = new X509Certificate2(fileBytes, "notasecret", X509KeyStorageFlags.Exportable);

The following line does not crash:

var cert = new X509Certificate2();

Also, if the password is incorrect, the server gives a normal exception explaining that the password is incorrect:

var certificate = new X509Certificate2(fileBytes, "wrong");

I upgraded to 1.0.1 hoping it would solve the problem, but it occured on both 1.0.0 and 1.0.1.

So, to be clear:

• Only crashes on Azure App Site (with CGI error)
• Only happens when the cert file password is correct

Here is the full code:

        ```
        var log = "";

        var keyFileServerPath = _env.ContentRootPath + @"\GACert.p12";
        log += "\r\n" + "Got File Path";

        var cert = new X509Certificate2();
        log += "\r\n" + "Created Empty Cert";

        var fileExists = System.IO.File.Exists(keyFileServerPath);
        log += "\r\n" + "File Exists? =" + fileExists;

        var fileBytes = System.IO.File.ReadAllBytes(keyFileServerPath);
        log += "\r\n" + "File Bytes.Length=" + fileBytes.Length;

        //// WRONG PASSWORD - Causes a normal Exception (so password is OK)
        //var certificate = new X509Certificate2(fileBytes, "wrong");
        //log += "\r\n" + "Created Cert Using Bytes";

        //// FAILED - CGI Error (Crashing the Asp.Net Process)
        //var certificate = new X509Certificate2(fileBytes, "notasecret", X509KeyStorageFlags.Exportable);
        //log += "\r\n" + "Created Cert Using Bytes";

[muratg]

Can you check if your cert is expired? And try with a non-expired cert? On a desktop/laptop machine, this works fine, but on Azure App Service, this seems to be failing. See App Service forum entry, or the issue where this was first filed on.

cc @davidebbo

[ricklove]

The cert was just generated yesterday, so I don't know how it would be expired.

[mpospisil]

Have you found any solution. I have the same problem - framework net461?

[williamfunchal]

The problem is the Azure Web Apps restricts access to the machines private key store. Please note that this only works for Basic Tier and above (not Free or Shared tier). Are you in this case?

[NoemiLindqvist]

Hej,
I have the same issue but with Azure Functions. The certificate works perfectly in my local machine but It does not work in Azure Portal. It throws the following exception. Do you have any idea?

Error in OnTriggerAuditCenterOperationStatus : Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index at System.Collections.CollectionBase.System.Collections.IList.get_Item(Int32 index)
at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.get_Item(Int32 index)
at XXX.core.helpers.ManagementCertificateService.GetX509Certificate2BySubjectName(String subjectName)
at qnet.concierge.core.inventory.SystemCenterSubscriptionInventoryHandler.d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at qnet.concierge.core.audit.SystemCenterJobAuditor.d__3.MoveNext()

[mpospisil]

I solved this issue by generating a new ssl certificate using command makecert. Something was missing in my original certificate (I can not remember details now)

[nickverschueren]

This still is not fixed in .Net Core 2.1.2, I have the exact same issue. A certificate generated with OpenSSL crashes the process when it is used to create an instance an X509Certificate2. It works perfectly on premise under Win10 and fails when running in an Azure WebApp.

[Eilon]

This issue was moved to dotnet/corefx#28860