Adding trust to root certificate store on an App Service

Tyler Stutheit 1 Reputation point
2020-09-24T19:44:02.433+00:00

I have inherited an App Service in Azure, and need to add a trusted root certificate to the App Service’s root certificate store. We have “Client Certificate Mode” set to Required, and the root CA for the client certificate needs to be trusted for the user to access the hosted Web App.

I found several articles online which refer to the approach of adding the .cer certificate to an App Service Environment (ASE) and then creating an application setting (WEBSITE_LOAD_ROOT_CERTIFICATES) on the App Service which should result in the certificate being present in the Cert:\LocalMachine\Root certificate store. Ref: https://learn.microsoft.com/en-us/azure/app-service/environment/certificates

The App Service I inherited does not reside in an ASE, so I performed both of these actions on the App Service itself, and the certificate is not present in Cert:\LocalMachine\Root nor Cert:\CurrentUser\Root. It is, however, present in Cert:\CurrentUser\My certificate store.

When users attempt to access the App Service, the event log records a root certificate error, and we believe that the root CA related to the client’s certificate needs to be added to the Root certificate store on the App Service. We have tried the method above, and we have also attempted to install the certificate using the Kudu PowerShell, but receive access denied messages.

Does anyone have documentation on how to add trust to the root certificate store on an App Service without an App Service Environment?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,915 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SnehaAgrawal-MSFT 18,366 Reputation points
    2020-09-25T14:02:32.457+00:00

    Thanks for asking question! If I have understood right you want to add trust to the root certificate store on an App Service and not App Service Environment, if so
    Unfortunately, it is not possible to add Root certificates to an App Service. The security implications would be quite bad if that were possible.
    To use a certificate in App Service, the certificate must meet all the following requirements:
    • Signed by a trusted certificate authority
    • Exported as a password-protected PFX file
    • Contains privatekey at least 2048 bits long
    • Contains all intermediate certificates in the certificate chain

    SSL is offloaded on the shared Azure front-end which is not accessible. However, if you are not looking to secure a custom domain with an SSL binding you should be able to upload the certificate and use it in code. Please see the following documentation regarding configuring certificates in App Service.
    https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate
    https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code

    However, what you can do is override the framework code for SSL verification to include your particular cert. Refer to this SO link

    Also, There is User Voice feedback item created on this you may upvote it. The product group monitors this site for feedback. This is the best way to ensure you are heard and you may receive a response depending on how much they information they can currently share.