如果 Web 应用程序托管在 azure 应用程序服务上，如何读取证书 [英] how to read certificate if web app is hosted over azure app service

问题描述

我有一个 asp.net core web api (app1) 应用程序，它正在调用另一个 asp.net core web api (app2)，我正在考虑将 app1 作为守护程序应用程序，我想使用证书而不是应用程序来跟踪客户端凭据秘密.

I have a asp.net core web api (app1) application which is calling another asp.net core web api (app2) and I am considering app1 as deamon app and I would like to follow client credentials with certificate rather than application secrets.

https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/2-Call-OwnApi#variation-daemon-application-using-client-credentials-with-certificates

一切正常，直到我的 app1 和 app2 在本地机器上运行，我正在读取如下证书，

Everything works fine till my both app1 and app2 running in local machine where I am reading the certificate like below,

private static X509Certificate2 ReadCertificate(string certificateName)
    {
        if (string.IsNullOrWhiteSpace(certificateName))
        {
            throw new ArgumentException("certificateName should not be empty. Please set the CertificateName setting in the appsettings.json", "certificateName");
        }
        X509Certificate2 cert = null;

        using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
        {
            store.Open(OpenFlags.ReadOnly);
            X509Certificate2Collection certCollection = store.Certificates;

            // Find unexpired certificates.
            X509Certificate2Collection currentCerts = certCollection.Find(X509FindType.FindByTimeValid, DateTime.Now, false);

            // From the collection of unexpired certificates, find the ones with the correct name.
            X509Certificate2Collection signingCert = currentCerts.Find(X509FindType.FindBySubjectDistinguishedName, certificateName, false);

            // Return the first certificate in the collection, has the right name and is current.
            cert = signingCert.OfType<X509Certificate2>().OrderByDescending(c => c.NotBefore).FirstOrDefault();
        }
        return cert;
    }

证书在本地机器上，我从这里读取，

The certificate is in local machine and I am reading it from here,

 using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser))

现在我想同时托管 app1 和2 有了azure app service，现在的问题是如何读取证书?

Now I want to host both app1 & 2 with azure app service, now question is how to read certificate?

谢谢！

推荐答案

在 Azure 计算(例如应用服务)上部署时，没有可用的 local 磁盘或证书存储

When deploying on an Azure compute (App service for example), there is no such thing as a local disk or certificate store available as such.

所以，连同 建议更改 对您的应用程序的配置，您还需要执行以下操作

So, along with the suggested changes to your application's configuration, you'd also need to do the following

1. 将您的证书存储在 KeyVault(或等效的)中并从您的代码中获取它
2. 更好，考虑使用 Managed身份.

1. Store your certificates in the KeyVault (or equivalent) and fetch it from your code
2. Better, consider using Managed Identities.

这篇关于如果 Web 应用程序托管在 azure 应用程序服务上，如何读取证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！