在使用App Service服务部署业务应用,因为有些第三方的接口需要调用者携带TLS/SSL证书(X509 Certificate),在官方文档中介绍了两种方式在代码中使用证书:
1) 直接使用证书文件路径加载证书
2) 从系统的证书库中通过指纹加载证书
本文中,将分别通过代码来验证以上两种方式.
参考文档 : 生成自签名证书概述 https://learn.microsoft.com/zh-cn/dotnet/core/additional-tools/self-signed-certificates-guide#with-powershell
$cert = New-SelfSignedCertificate -DnsName @("mytest.com", "www.mytest.com") -CertStoreLocation "cert:\LocalMachine\My" $certKeyPath = 'C:\MyWorkPlace\Tools\scerts\mytest.com.pfx' $password = ConvertTo-SecureString 'password' -AsPlainText -Force $cert | Export-PfxCertificate -FilePath $certKeyPath -Password $password $rootCert = $(Import-PfxCertificate -FilePath $certKeyPath -CertStoreLocation 'Cert:\LocalMachine\Root' -Password $password)
注意:
public static string LoadPfx(string? filename, string password = "") { try { if (filename == null) filename = "contoso.com.pfx"; var bytes = File.ReadAllBytes(filename); var cert = new X509Certificate2(bytes, password); return cert.ToString(); } catch (Exception ex) { return ex.Message; } }
public static string FindPfx(string certThumbprint = "") { try { bool validOnly = false; using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser)) { certStore.Open(OpenFlags.ReadOnly); X509Certificate2Collection certCollection = certStore.Certificates.Find( X509FindType.FindByThumbprint, // Replace below with your certificate's thumbprint certThumbprint, validOnly); // Get the first cert with the thumbprint X509Certificate2 cert = certCollection.OfType<X509Certificate2>().FirstOrDefault(); if (cert is null) throw new Exception($"Certificate with thumbprint {certThumbprint} was not found"); return cert.ToString(); } } catch (Exception ex) { return ex.Message; } }
在本次实验中,通过API来调用以上 LoadPfx 和 FindPfx 方法
通过文件方式读取证书内容,测试成功
但是,通过指纹查找的时候,却返回无法找到证书。
Certificate with thumbprint 5A1E7923F5638549F4BA3E29EEDBBDCB2E9B572E was not found
这是原因有两种:
1)证书没有添加到App Service的Certificates中。
2)需要在App Service的Configuration中添加配置WEBSITE_LOAD_CERTIFICATES参数,值为 * 或者是固定的 证书指纹值。
检查以上两点原因后,再次通过指纹方式查找证书。成功!
1 using Microsoft.AspNetCore.Mvc; 2 using System.Security.Cryptography.X509Certificates; 3 4 var builder = WebApplication.CreateBuilder(args); 5 6 // Add services to the container. 7 8 var app = builder.Build(); 9 10 // Configure the HTTP request pipeline. 11 12 app.UseHttpsRedirection(); 13 14 15 app.MapGet("/loadpfxbyname", ([FromQuery(Name = "name")] string filename, [FromQuery(Name = "pwd")] string pwd) => 16 { 17 var content = pfxTesting.LoadPfx(filename, pwd); 18 return content; 19 }); 20 21 app.MapGet("/loadpfx/{pwd}", (string pwd) => 22 { 23 24 var content = pfxTesting.LoadPfx(null, pwd); 25 return content; 26 }); 27 28 app.MapGet("/findpfx/{certThumbprint}", (string certThumbprint) => 29 { 30 31 var content = pfxTesting.FindPfx(certThumbprint); 32 return content; 33 }); 34 35 app.Run(); 36 37 class pfxTesting 38 { 39 public static string LoadPfx(string? filename, string password = "") 40 { 41 try 42 { 43 if (filename == null) filename = "contoso.com.pfx"; 44 45 var bytes = File.ReadAllBytes(filename); 46 var cert = new X509Certificate2(bytes, password); 47 48 return cert.ToString(); 49 } 50 catch (Exception ex) 51 { 52 return ex.Message; 53 } 54 } 55 56 public static string FindPfx(string certThumbprint = "") 57 { 58 try 59 { 60 bool validOnly = false; 61 using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser)) 62 { 63 certStore.Open(OpenFlags.ReadOnly); 64 65 X509Certificate2Collection certCollection = certStore.Certificates.Find( 66 X509FindType.FindByThumbprint, 67 // Replace below with your certificate's thumbprint 68 certThumbprint, 69 validOnly); 70 // Get the first cert with the thumbprint 71 X509Certificate2 cert = certCollection.OfType<X509Certificate2>().FirstOrDefault(); 72 73 if (cert is null) 74 throw new Exception($"Certificate with thumbprint {certThumbprint} was not found"); 75 76 return cert.ToString(); 77 78 } 79 } 80 catch (Exception ex) { return ex.Message; } 81 } 82 }
在 Azure 应用服务中通过代码使用 TLS/SSL 证书 : https://docs.azure.cn/zh-cn/app-service/configure-ssl-certificate-in-code#load-certificate-from-file
[END]