问题
I have a asp.net core web api (app1) application which is calling another asp.net core web api (app2) and I am considering app1 as deamon app and I would like to follow client credentials with certificate rather than application secrets.
https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/2-Call-OwnApi#variation-daemon-application-using-client-credentials-with-certificates
Everything works fine till my both app1 and app2 running in local machine where I am reading the certificate like below,
private static X509Certificate2 ReadCertificate(string certificateName)
{
if (string.IsNullOrWhiteSpace(certificateName))
{
throw new ArgumentException("certificateName should not be empty. Please set the CertificateName setting in the appsettings.json", "certificateName");
}
X509Certificate2 cert = null;
using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = store.Certificates;
// Find unexpired certificates.
X509Certificate2Collection currentCerts = certCollection.Find(X509FindType.FindByTimeValid, DateTime.Now, false);
// From the collection of unexpired certificates, find the ones with the correct name.
X509Certificate2Collection signingCert = currentCerts.Find(X509FindType.FindBySubjectDistinguishedName, certificateName, false);
// Return the first certificate in the collection, has the right name and is current.
cert = signingCert.OfType<X509Certificate2>().OrderByDescending(c => c.NotBefore).FirstOrDefault();
}
return cert;
}
The certificate is in local machine and I am reading it from here,
using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
Now I want to host both app1 & 2 with azure app service, now question is how to read certificate?
Thanks!
回答1:
When deploying on an Azure compute (App service for example), there is no such thing as a local disk or certificate store available as such.
So, along with the suggested changes to your application's configuration, you'd also need to do the following
- Store your certificates in the KeyVault (or equivalent) and fetch it from your code
- Better, consider using Managed Identities.
回答2:
You need to use Browser Extension to use Certificate on Client's Certificate store or cryptographic device like usb token or smartcard.
Please refer to below SO Answers depending on task you need to achieve
- PDF Invoice Signing: https://stackoverflow.com/a/55676351/9659885
- eReturn or any Signing: https://stackoverflow.com/a/55692742/9659885
- Web login or auth (token signing): https://stackoverflow.com/a/55757349/9659885
来源:https://stackoverflow.com/questions/62617940/how-to-read-certificate-if-web-app-is-hosted-over-azure-app-service