Working with certificates in Azure App Service

Recently, we had a project which required us to connect to a MySQL server from .NET Core with a client certificate authentication. While this seemed fairly trivial, we have hit some issues after deploying the application to Azure App Service.

We had the application tested localy with a connection string refering to a certificate within application’s storage (D:\home\site\certs\connection.pfx). As soon as we hit the application’s endpoint, we received following error:

We were trying to figure out what is going on, even the official docs didn’t get us any further. Than my collegue tried to upload the certificate to App Service and load it with the WEBSITE_LOAD_CERTIFICATES option. Suddenly, everything started to work, however it was really weird since we were still using the PFX file directly, not the certificate from the certificate store.

A question that must pop into your head first, is why weren’t we using the certificate store in App Service to load the certificate? Simple. We were using the official MySQL connector (Pomelo uses it on the background) which didn’t (at the time) support loading the certificate from the store.

After raising an issue in Kudu’s repository and getting response from one of the engineers, it was clear – reading PFX requires the user profile to be loaded. When we added WEBSITE_LOAD_CERTIFICATES it basically resulted in loading the profile on the background and hence we could read the PFX from the filesystem. So the solution was simple – adding WEBSITE_LOAD_USER_PROFILE=1 option into the application’s settings.

After having this work (the application was at Proof of Concept state), we decided that we didn’t want to store the certificate in the filesystem directly and wanted to leverage the certificate store. While this connection method is fully supported in MySQL’s connector for .NET Framework, it was missing in the .NET Core version. I decided to submit an issue initially – to see whether the project would be open for such feature and if there were any reasons why it wasn’t implemented yet. After confirming with project’s maintainer, we ended up contributing the implementation of being able to use the certificate store in the connection string. The day after, 0.43.0 release came out including the enhancement.

This is my my first post with WordPress’s all new Gutenberg editor, so please excuse any issues which might occur.

Author: Jan Hajek

I am Honza, hi.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.