1

I'm trying to create an Azure Function that will call a SOAP API that requires the use of a certificate. I have a .PFX certificate (saved as base64) and the matching password. Both are saved in Azure Key Vault as secrets, and I validated that they're retrieved just fine.

In my Azure Function (.NET Core 3.1), I'm creating a X509Certificate2 object with the follow constructor:

certificate = new X509Certificate2(certBytes, pass, X509KeyStorageFlags.MachineKeySet);

The X509KeyStorageFlags used here was suggested by several other answered questions here.

The result of this constructor is always the following error: The specified network password is not correct.

I've attempted to perform the same action locally, and here the certificate is loaded correctly and I can get info on the issuer, etc.

Other storage flags, like MachineKeySet + PersistKeySet + Exportable did not make a difference, and loading the PFX not as base64 but as a file gives the same error.

Does anyone know why this code behaves differently in an Azure Function compared to running it locally?

Improve this question

3 Answers 3

Reset to default
2

It may work to pass null for the password. With Key Vault certs, I've found this works to load as X509Certificate2 objects, at least when self-signed.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I need to clarify this in my post, but I'm storing the certificate as base64 in the key vault, so I need the password when constructing the X509Certificate2 object. Reason it's stored that way is that Azure Key Vault would not accept the pfx in certificate storage (which seems to be a problem on its own).
1

Azure Functions don't have a user profile loaded, so there's nowhere to save the private key. Or, for just MachineKeySet it's probably that you don't have admin rights, so you can't create the private key file... and somehow that error is getting misinterpreted.

You might have luck with the EphemeralKeySet flag, since that says "don't save the key to disk", which should avoid the problem. If that doesn't do it, try EphemeralKeySet | MachineKeySet, which might avoid "there's no profile" and also the lack of permissions (since it never actually tries creating a file).

Improve this answer

1 Comment

While it did not work with the certificate I got issued by the API developers, it did work with another certificate in combination with these flags. So while I'm still not sure why the original certificate works locally but not on Azure, the errors message is at least gone. Thanks!
0

For anyone seeing this - I had the exact same issue with a certificate provided by an external supplier.

The problem was that the certificate was exported using AES256-SHA256 encryption and for whatever reason, Azure Functions v4 couldn't handle this. The error message was incredibly unhelpful as the password was correct.

Solution? Import the cert into your local certificate store, then export it with TripleDES-SHA1 instead. Should work fine after that.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.