【Azure App Service】.NET程式碼實驗App Service應用中獲取TLS/SSL 證書 (App Service Windows)

路边两盏灯發表於2024-05-28
APPTLSWindows

在使用App Service服務部署業務應用,因為有些第三方的介面需要呼叫者攜帶TLS/SSL證書(X509 Certificate),在官方文件中介紹了兩種方式在程式碼中使用證書:

1) 直接使用證書檔案路徑載入證書

2) 從系統的證書庫中透過指紋載入證書

本文中,將分別透過程式碼來驗證以上兩種方式.

第一步:使用PowerShell建立自簽名證書

參考文件 : 生成自簽名證書概述 https://learn.microsoft.com/zh-cn/dotnet/core/additional-tools/self-signed-certificates-guide#with-powershell

$cert = New-SelfSignedCertificate -DnsName @("mytest.com", "www.mytest.com") -CertStoreLocation "cert:\LocalMachine\My"

$certKeyPath = 'C:\MyWorkPlace\Tools\scerts\mytest.com.pfx'

$password = ConvertTo-SecureString 'password' -AsPlainText -Force

$cert | Export-PfxCertificate -FilePath $certKeyPath -Password $password

$rootCert = $(Import-PfxCertificate -FilePath $certKeyPath -CertStoreLocation 'Cert:\LocalMachine\Root' -Password $password)

注意:

  • 需要使用Administrator模式開啟PowerShell視窗
  • DnsName, CertKeyPath和 password的內容都可根據需求進行調整

第二步:準備兩種讀取證書的 .NET程式碼

方式一:透過證書檔名和密碼讀取載入證書

    public static string LoadPfx(string? filename, string password = "")
    {
        try
        {
            if (filename == null) filename = "contoso.com.pfx";

            var bytes = File.ReadAllBytes(filename);
            var cert = new X509Certificate2(bytes, password);
            return cert.ToString();
        }
        catch (Exception ex)
        {
            return ex.Message;
        }
}

方式二:透過指紋在系統證書庫中查詢證書

   public static string FindPfx(string certThumbprint = "")
   {
       try
       {
           bool validOnly = false;
           using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
           {
               certStore.Open(OpenFlags.ReadOnly);
               X509Certificate2Collection certCollection = certStore.Certificates.Find(
                                           X509FindType.FindByThumbprint,
                                           // Replace below with your certificate's thumbprint
                                           certThumbprint,
                                           validOnly);

               // Get the first cert with the thumbprint
               X509Certificate2 cert = certCollection.OfType<X509Certificate2>().FirstOrDefault();

               if (cert is null)
               throw new Exception($"Certificate with thumbprint {certThumbprint} was not found");
               return cert.ToString();
           }
       }
       catch (Exception ex) { return ex.Message; }
   }

在本次實驗中,透過API來呼叫以上 LoadPfx 和 FindPfx 方法

第三步:釋出測試應用到Azure App Service

步驟參考釋出 Web 應用:https://docs.azure.cn/zh-cn/app-service/quickstart-dotnetcore?tabs=net70&pivots=development-environment-vs#2-publish-your-web-app

第四步:測試介面並修復問題

透過檔案方式讀取證書內容,測試成功

但是,透過指紋查詢的時候,卻返回無法找到證書。

Certificate with thumbprint 5A1E7923F5638549F4BA3E29EEDBBDCB2E9B572E was not found

這是原因有兩種:

1)證書沒有新增到App Service的Certificates中。

2)需要在App Service的Configuration中新增配置WEBSITE_LOAD_CERTIFICATES引數,值為 * 或者是固定的 證書指紋值。

【Azure App Service】.NET程式碼實驗App Service應用中獲取TLS/SSL 證書 (App Service Windows)

檢查以上兩點原因後,再次透過指紋方式查詢證書。成功!

示例程式碼

 1 using Microsoft.AspNetCore.Mvc;
 2 using System.Security.Cryptography.X509Certificates;
 3 
 4 var builder = WebApplication.CreateBuilder(args);
 5 
 6 // Add services to the container.
 7 
 8 var app = builder.Build();
 9 
10 // Configure the HTTP request pipeline.
11 
12 app.UseHttpsRedirection();
13 
14 
15 app.MapGet("/loadpfxbyname", ([FromQuery(Name = "name")] string filename, [FromQuery(Name = "pwd")] string pwd) =>
16 {
17     var content = pfxTesting.LoadPfx(filename, pwd);
18     return content;
19 });
20 
21 app.MapGet("/loadpfx/{pwd}", (string pwd) =>
22 {
23 
24     var content = pfxTesting.LoadPfx(null, pwd);
25     return content;
26 });
27 
28 app.MapGet("/findpfx/{certThumbprint}", (string certThumbprint) =>
29 {
30 
31     var content = pfxTesting.FindPfx(certThumbprint);
32     return content;
33 });
34 
35 app.Run();
36 
37 class pfxTesting
38 {
39     public static string LoadPfx(string? filename, string password = "")
40     {
41         try
42         {
43             if (filename == null) filename = "contoso.com.pfx";
44 
45             var bytes = File.ReadAllBytes(filename);
46             var cert = new X509Certificate2(bytes, password);
47 
48             return cert.ToString();
49         }
50         catch (Exception ex)
51         {
52             return ex.Message;
53         }
54     }
55 
56     public static string FindPfx(string certThumbprint = "")
57     {
58         try
59         {
60             bool validOnly = false;
61             using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
62             {
63                 certStore.Open(OpenFlags.ReadOnly);
64 
65                 X509Certificate2Collection certCollection = certStore.Certificates.Find(
66                                             X509FindType.FindByThumbprint,
67                                             // Replace below with your certificate's thumbprint
68                                             certThumbprint,
69                                             validOnly);
70                 // Get the first cert with the thumbprint
71                 X509Certificate2 cert = certCollection.OfType<X509Certificate2>().FirstOrDefault();
72 
73                 if (cert is null)
74                     throw new Exception($"Certificate with thumbprint {certThumbprint} was not found");
75 
76                 return cert.ToString();
77 
78             }
79         }
80         catch (Exception ex) { return ex.Message; }
81     }
82 }

參考資料

釋出 Web 應用:https://docs.azure.cn/zh-cn/app-service/quickstart-dotnetcore?tabs=net70&pivots=development-environment-vs#2-publish-your-web-app

生成自簽名證書概述 https://learn.microsoft.com/zh-cn/dotnet/core/additional-tools/self-signed-certificates-guide#with-powershell

在 Azure 應用服務中透過程式碼使用 TLS/SSL 證書 : https://docs.azure.cn/zh-cn/app-service/configure-ssl-certificate-in-code#load-certificate-from-file

[END]

相關文章