【Azure App Service】.NET代码实验App Service应用中获取TLS SSL 证书 (App Service Windows) - LuBu0505/My-Code GitHub Wiki
在使用App Service服务部署业务应用,因为有些第三方的接口需要调用者携带TLS/SSL证书(X509 Certificate),在官方文档中介绍了两种方式在代码中使用证书:
1) 直接使用证书文件路径加载证书
2) 从系统的证书库中通过指纹加载证书
本文中,将分别通过代码来验证以上两种方式.
参考文档 : 生成自签名证书概述 [https://learn.microsoft.com/zh-cn/dotnet/core/additional-tools/self-signed-certificates-guide#with-powershell](https://learn.microsoft.com/zh-cn/dotnet/core/additional-tools/self-signed-certificates-guide#with-powershell)
$cert = New-SelfSignedCertificate -DnsName @("mytest.com", "www.mytest.com") -CertStoreLocation "cert:\LocalMachine\My"
$certKeyPath = 'C:\MyWorkPlace\Tools\scerts\mytest.com.pfx' $password = ConvertTo-SecureString 'password' -AsPlainText -Force $cert | Export-PfxCertificate -FilePath $certKeyPath -Password $password
$rootCert = $(Import-PfxCertificate -FilePath $certKeyPath -CertStoreLocation 'Cert:\LocalMachine\Root' -Password $password) 注意: * 需要使用Administrator模式打开PowerShell窗口 * DnsName, CertKeyPath和 password的内容都可根据需求进行调整 
public static string LoadPfx(string? filename, string password = "")
{ try { if (filename == null) filename = "contoso.com.pfx"; var bytes = File.ReadAllBytes(filename); var cert = new X509Certificate2(bytes, password); return cert.ToString();
} catch (Exception ex)
{ return ex.Message;
}
}public static string FindPfx(string certThumbprint = "")
{ try { bool validOnly = false; using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint, // Replace below with your certificate's thumbprint certThumbprint,
validOnly); // Get the first cert with the thumbprint X509Certificate2 cert = certCollection.OfType<X509Certificate2>().FirstOrDefault(); if (cert is null) throw new Exception($"Certificate with thumbprint {certThumbprint} was not found"); return cert.ToString();
}
} catch (Exception ex) { return ex.Message; }
} 在本次实验中,通过API来调用以上 LoadPfx 和 FindPfx 方法 
步骤参考发布 Web 应用:[https://docs.azure.cn/zh-cn/app-service/quickstart-dotnetcore?tabs=net70&pivots=development-environment-vs#2-publish-your-web-app](https://docs.azure.cn/zh-cn/app-service/quickstart-dotnetcore?tabs=net70&pivots=development-environment-vs#2-publish-your-web-app) 
通过文件方式读取证书内容,测试成功 
但是,通过指纹查找的时候,却返回无法找到证书。
Certificate with thumbprint 5A1E7923F5638549F4BA3E29EEDBBDCB2E9B572E was not found
这是原因有两种:
1)证书没有添加到App Service的Certificates中。
2)需要在App Service的Configuration中添加配置WEBSITE_LOAD_CERTIFICATES参数,值为 * 或者是固定的 证书指纹值。 
检查以上两点原因后,再次通过指纹方式查找证书。成功! 
using Microsoft.AspNetCore.Mvc;
using System.Security.Cryptography.X509Certificates;
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
var app = builder.Build();
// Configure the HTTP request pipeline.
app.UseHttpsRedirection();
app.MapGet("/loadpfxbyname", ([FromQuery(Name = "name")] string filename, [FromQuery(Name = "pwd")] string pwd) =>
{
var content = pfxTesting.LoadPfx(filename, pwd);
return content;
});
app.MapGet("/loadpfx/{pwd}", (string pwd) =>
{
var content = pfxTesting.LoadPfx(null, pwd);
return content;
});
app.MapGet("/findpfx/{certThumbprint}", (string certThumbprint) =>
{
var content = pfxTesting.FindPfx(certThumbprint);
return content;
});
app.Run();
class pfxTesting
{
public static string LoadPfx(string? filename, string password = "")
{
try
{
if (filename == null) filename = "contoso.com.pfx";
var bytes = File.ReadAllBytes(filename);
var cert = new X509Certificate2(bytes, password);
return cert.ToString();
}
catch (Exception ex)
{
return ex.Message;
}
}
public static string FindPfx(string certThumbprint = "")
{
try
{
bool validOnly = false;
using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
// Replace below with your certificate's thumbprint
certThumbprint,
validOnly);
// Get the first cert with the thumbprint
X509Certificate2 cert = certCollection.OfType<X509Certificate2>().FirstOrDefault();
if (cert is null)
throw new Exception($"Certificate with thumbprint {certThumbprint} was not found");
return cert.ToString();
}
}
catch (Exception ex) { return ex.Message; }
}
}
发布 Web 应用:[https://docs.azure.cn/zh-cn/app-service/quickstart-dotnetcore?tabs=net70&pivots=development-environment-vs#2-publish-your-web-app](https://docs.azure.cn/zh-cn/app-service/quickstart-dotnetcore?tabs=net70&pivots=development-environment-vs#2-publish-your-web-app)
生成自签名证书概述 [https://learn.microsoft.com/zh-cn/dotnet/core/additional-tools/self-signed-certificates-guide#with-powershell](https://learn.microsoft.com/zh-cn/dotnet/core/additional-tools/self-signed-certificates-guide#with-powershell)
在 Azure 应用服务中通过代码使用 TLS/SSL 证书 : [https://docs.azure.cn/zh-cn/app-service/configure-ssl-certificate-in-code#load-certificate-from-file](https://docs.azure.cn/zh-cn/app-service/configure-ssl-certificate-in-code#load-certificate-from-file)
[END]
当在复杂的环境中面临问题,格物之道需:浊而静之徐清,安以动之徐生。 云中,恰是如此!