Azure Key Vault and use self-signed certificates in your App

Most of the time when I need to use a self-signed certificate, I use Openssl. But I saw that you can easily create a self-signed certificate with Azure Key Vault.
In this blog post, I will use the Azure portal to create a simple self-signed certificate and make it available in your Azure App service.

REMINDER: DON’T USE SELF SIGNED CERTIFICATES IN YOUR PRODUCTION ENVIRONMENTS!

  1. Log in to the Azure Portal and create a new resource.
  2. Now search for Key Vault and click on Create
Creating a new Azure Key Vault

3. Now you can leave everything as is. But you need to select a resource group ( or create a new one) and enter a unique name for your new Key Vault

Make sure that you select the same resource group in which your target application is also residing.

select a resource group and enter a unique name for you Key Vault

4. Now leave everything else default and click on create to create your new Azure Key Vault
5. Now after the Key Vault has been created by Azure, you click on your new Key Vault resource and go to Settings -> Certificates.
6. In the top of the Key Vault screen, you will see a button Generate/Import

top of the Azure Key Vault screen

7. Click on it to start creating a new self-signed certificate.
8. Now give your new self-signed certificate a unique name and a unique subject.

9. Leave everything else to default and click on the create button to let Azure create your new self-signed certificate.
10. That’s it you now have created a new self-signed certificate, with Azure Key Vault, that you can use for developing / test purposes on Azure Apps. This is not for production systems!

Make your self signed certificate available for you Azure Application

After you have successfully created a certificate, you have to make it available for your Azure App service application.

  1. In order to use your self-signed certificate, we navigate to our Azure App Service, in which we want to use our certificate.
  2. Now in the App Service navigate to Settings -> TLS/SSL settings and click on Private Key Certificates and click on Import Key Vault Certificate

Now, wait until your Key Vault Certificate status is “Healthy“.
Once Azure is done, you have to execute 1 more Powershell command in order to make the certificate available for your application code.

az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_LOAD_CERTIFICATES=<comma-separated-certificate-thumbprints>

That’s it, you can now start using your certificate in Azure

C# Code to use your self signed certificate

The following C# code sample shows you how you can use your self signed certificate in your application code:

using X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);

certStore.Open(OpenFlags.ReadOnly);

X509Certificate2Collection certCollection = certStore.Certificates.Find(
                                        X509FindType.FindByThumbprint,
                                        "<<certificate thumbprint>>",
                                        false);

Log.Information($"number of certs found { certCollection.Count }");

Leave a Reply