Home > OS >  Which certificate store do I place an Azure App Registration certificate in on an on-prem server
Which certificate store do I place an Azure App Registration certificate in on an on-prem server

Time:07-01

I've set up Azure KeyVault for a .NET 6 application we have in development.

I followed the instructions here - https://docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-6.0#use-application-id-and-x509-certificate-for-non-azure-hosted-apps

It basically consists of;

  • Create a certificate
  • Install the certificate into your Personal user store
  • Add that to the relevant Azure App Registration
  • Add the access policies
  • Add the following bit of code to the app
using var x509Store = new X509Store(StoreLocation.CurrentUser);
x509Store.Open(OpenFlags.ReadOnly);
var x509Certificate = x509Store.Certificates
    .Find(
        X509FindType.FindByThumbprint,
        builder.Configuration.GetSection("AzureAd")["CertificateThumbprint"],
        validOnly: false)
    .OfType<X509Certificate2>()
    .Single();


builder.Configuration.AddAzureKeyVault(
    new Uri($"https://{builder.Configuration.GetSection("KeyVault")["Name"]}.vault.azure.net/"),
        new ClientCertificateCredential(
            builder.Configuration.GetSection("AzureAd")["DirectoryId"],
            builder.Configuration.GetSection("AzureAd")["ApplicationId"],
            x509Certificate));

And that works perfectly when running locally. My issue now is I need to deploy this to an on-prem server running IIS.

This line

using var x509Store = new X509Store(StoreLocation.CurrentUser);

Tells it to search the 'Current Users' certificate store. This is fine when running locally, as that's me, but when running on a server, specifically a Windows Server 2019 with IIS 10, who is that, and is this even the right thing to do.

My question comes down to two things.

1 - If I use this code as is, who is the 'CurrentUser' when running on a server. I assume it is the ApplicationPoolIdentity user (IISAppPool/NameOfPool). If so, how do I add a certificate to their store?

2 - Alternatively, I assume I could change the StoreLocation.CurrentUser to StoreLocation.LocalMachine, and install the certificate to the local machine. This should work, but are there downsides to this?

CodePudding user response:

Setting the store to LocalMachine is fine as long as the cert is non-exportable.

Page link:https//www.codepudding.com/os/460287.html

Prev:Get all Tests ran in Azure Build Pipeline through REST API
Next:Linq query geting list by comparing Id with an list of objects that have ids
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding