Troubleshooting Retrieving Certificates in Azure App Services

You can upload and use Certificates securely in your Azure App Service (Azure Web App, Azure Mobile App etc… ).  If you are having trouble, here are some basic troubleshooting steps.

Example error: ”cannot find certificate with thumbprint"

Is your certificate loaded in your Resource Group?  You can search for the thumbprint using the Azure Resource Explorer

Is your site at least Basic SKU?  This is required.

Did you set the Web App setting: WEBSITE_LOAD_CERTIFICATES?  Try setting the WEBSITE_LOAD_CERTIFICATES  value to * for testing purposes

What is your code doing?  Here is how you can load all certificates and display the first one.  See the original article for picking one by thumbprint.

static string testcert()
            string strRes = "no certs found";

            //Cert Store for CurrentUser is the only one we can get certificates for
            X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
            //Open it read only

            // if we have any certificates...
            if (certStore.Certificates.Count > 0)
                //Just get the first one
                X509Certificate2 cert = certStore.Certificates[0];
                // Use certificate
                // In this case get the subject
                strRes = cert.Subject;

            //Don't forget to CLOSE the store
            return strRes;


Debug the app to see what is going on in your Cert Code!  If the cert shows up in the Portal for your web app then it must be loaded in the resource group.

Ensure the StoreName.My and StoreLocation.CurrentUser is where you are looking for the cert!


I know this is simple but sometimes it helps to have a checklist!  Let me know if this was useful to you by dropping a comment!

Comments (2)
  1. Dave Cotton says:

    Hey Jeff – thanks for taking the time to write this up. Can you clarify the meaning of CurrentUser in this context? Is it the principal executing the process for the app? I’ve used the New-MsolServicePrincipalCredential to upload a cert for a registered app (using the registered AppId as the cmdlet’s AppPrincipalId). At runtime I would expect this cert to be in the CurrentUser’s store, but its never found. Am I thinking about this incorrectly?

    1. Jeff Sanders says:

      The CurrentUser is the authenticated user. That user does not have a profile on the machine.

Comments are closed.

Skip to main content