Azure App Services: How to determine if the client certificate is loaded

USE CASE

Application is hosted on Azure App Service and it requires the use of client certificate, you can upload your certificate to the certificates collection in Azure App Service and consume it in your web application from your site’s personal certificate store. This functionality is only available for dedicated sites (Basic, Standard, Premium pricing tiers).

You can follow the steps/code mentions in below article to implement this in C# application:

• https://azure.microsoft.com/en-in/blog/using-certificates-in-azure-websites-applications/
• https://channel9.msdn.com/blogs/Azure-App-Service-Self-Help/Upload-an-SSL-Certificate

 

ISSUE DEFINITION

The same code was running fine but suddenly application started throwing exception while loading the client certificates from cert store.

 

CHECK IF CERTIFICATE IS LOADING OR NOT?

Using Power Shell

1. Check for the application setting and see if WEBSITE_LOAD_CERTIFICATES is present or not. (This is required to load the client certificates for application)

2. Open Azure Portal, go to Advance tools-> Click on Go
3. Select Debug console-> PowerShell
4. Run command “cd cert:\currentuser\my”
5. Run command “dir”
6. It should list down all the certificates loaded for this application. (Note: Please make sure that application setting WEBSITE_LOAD_CERTIFICATES is present)

Note: If your site is running on multiple instances, than you should run above PowerShell command on all the instances. Please follow below link for more information on how to connect to the Kudu site of specific instance:

• https://blogs.msdn.microsoft.com/kaushal/2016/11/21/azure-app-service-how-to-connect-to-the-kudu-site-of-a-specific-instance/

 

Using Site Extension

You can install Certificate Read Checker(CRC) Web Site Extension. Using this extension one can easily test whether uploaded certificate can be read via code or not.

The site extension is already present in the Site Extension gallery.