在 Azure App Service 中的應用程式程式碼中使用 SSL 憑證Use an SSL certificate in your application code in Azure App Service

本操作指南會示範如何在您的應用程式代碼中使用公用或私用憑證。This how-to guide shows how to use public or private certificates in your application code. 使用案例的範例是應用程式要存取需要驗證憑證的外部服務。An example of the use case is that your app accesses an external service that requires certificate authentication.

在您的程式碼中使用憑證的這種方法會使用 App Service 中的 SSL 功能,這會要求您的應用程式必須在基本層或更高版本中。This approach to using certificates in your code makes use of the SSL functionality in App Service, which requires your app to be in Basic tier or above. 或者,您可以將憑證檔案包含在應用程式存放庫中,但不是私用憑證的建議做法。Alternatively, you can include the certificate file in your app repository, but it's not a recommended practice for private certificates.

當您讓 App Service 管理您的 SSL 憑證時,您可以分開維護憑證以及應用程式程式碼,並保護您的敏感性資料。When you let App Service manage your SSL certificates, you can maintain the certificates and your application code separately and safeguard your sensitive data.

上傳私人憑證Upload a private certificate

上傳私人憑證之前,請確定它符合所有需求,但不需要針對伺服器驗證進行設定。Before uploading a private certificate, make sure it satisfies all the requirements, except that it doesn't need to be configured for Server Authentication.

當您準備好上傳時,請在Cloud Shell中執行下列命令。When you're ready to upload, run the following command in the Cloud Shell.

az webapp config ssl upload --name <app-name> --resource-group <resource-group-name> --certificate-file <path-to-PFX-file> --certificate-password <PFX-password> --query thumbprint

複製憑證指紋,並參閱讓憑證可供存取Copy the certificate thumbprint and see Make the certificate accessible.

上傳公開憑證Upload a public certificate

.Cer格式支援公用憑證。Public certificates are supported in the .cer format. 若要上傳公開憑證,請Azure 入口網站,然後流覽至您的應用程式。To upload a public certificate, the Azure portal, and navigate to your app.

在應用程式的左側導覽中,按一下 SSL 設定 > 公開憑證(.cer) > 上傳公開憑證Click SSL settings > Public Certificates (.cer) > Upload Public Certificate from the left navigation of your app.

在 [名稱] 中,輸入憑證的名稱。In Name, type a name for the certificate. 在 [ .Cer 憑證檔案] 中,選取您的 CER 檔案。In CER Certificate file, select your CER file.

按一下 [上傳]。Click Upload.

上傳公開憑證

一旦憑證上傳,請複製憑證指紋,並參閱讓憑證可供存取Once the certificate is uploaded, copy the certificate thumbprint and see Make the certificate accessible.

匯入 App Service 憑證Import an App Service certificate

請參閱購買和設定 Azure App Service 的 SSL 憑證See Buy and configure an SSL certificate for Azure App Service.

一旦匯入憑證,請複製憑證指紋,並參閱讓憑證可供存取Once the certificate is imported, copy the certificate thumbprint and see Make the certificate accessible.

讓憑證可供存取Make the certificate accessible

若要在您的應用程式程式碼中使用上傳或匯入的憑證,請在Cloud Shell中執行下列命令,讓其指紋可透過 WEBSITE_LOAD_CERTIFICATES 應用程式設定來存取:To use an uploaded or imported certificate in your app code, make its thumbprint accessible with the WEBSITE_LOAD_CERTIFICATES app setting, by running the following command in the Cloud Shell:

az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_LOAD_CERTIFICATES=<comma-separated-certificate-thumbprints>

若要讓所有憑證都可供存取,請將值設定為 *To make all your certificates accessible, set the value to *.

注意

此設定會將指定的憑證放在目前的 User\My存放區中,以用於大部分的定價層,但如果您的應用程式是在隔離層上執行(也就是應用程式在App Service 環境中執行),您可能需要簽入本機請改為 Machine\My 存放區。This setting places the specified certificates in the Current User\My store for most pricing tiers, but if your app is running on the Isolated tier (i.e. app runs in an App Service Environment), you may need to check in the Local Machine\My store instead.

設定應用程式設定

完成時,按一下 [儲存]。When finished, click Save.

已設定的憑證現在已可供您的程式碼使用。The configured certificates are now ready to be used by your code.

在程式碼中載入憑證Load the certificate in code

一旦憑證可供存取之後,您可以透過憑證指紋在 C# 程式碼中存取憑證。Once your certificate is accessible, you access it in C# code by the certificate thumbprint. 下列程式碼會載入指紋為 E661583E8FABEF4C0BEF694CBC41C28FB81CD870 的憑證。The following code loads a certificate with the thumbprint E661583E8FABEF4C0BEF694CBC41C28FB81CD870.

using System;
using System.Security.Cryptography.X509Certificates;

...
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
                            X509FindType.FindByThumbprint,
                            // Replace below with your certificate's thumbprint
                            "E661583E8FABEF4C0BEF694CBC41C28FB81CD870",
                            false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
    X509Certificate2 cert = certCollection[0];
    // Use certificate
    Console.WriteLine(cert.FriendlyName);
}
certStore.Close();
...

從檔案載入憑證Load certificate from file

例如,如果您需要從應用程式目錄載入憑證檔案,最好是使用FTPS而不是Git上傳它。If you need to load a certificate file from your application directory, it's better to upload it using FTPS instead of Git, for example. 您應該將機密資料(例如私用憑證)保留在原始檔控制之外。You should keep sensitive data like a private certificate out of source control.

即使您是直接在 .NET 程式碼中載入檔案,程式庫仍會驗證是否已載入目前的使用者設定檔。Even though you're loading the file directly in your .NET code, the library still verifies if the current user profile is loaded. 若要載入目前的使用者設定檔,請在Cloud Shell中使用下列命令來設定 WEBSITE_LOAD_USER_PROFILE 應用程式設定。To load the current user profile, set the WEBSITE_LOAD_USER_PROFILE app setting with the following command in the Cloud Shell.

az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_LOAD_USER_PROFILE=1

設定此設定之後,下列C#範例會從應用程式存放庫的 certs 目錄載入名為 mycert.pfx 的憑證。Once this setting is set, the following C# example loads a certificate called mycert.pfx from the certs directory of your app's repository.

using System;
using System.Security.Cryptography.X509Certificates;

...
// Replace the parameter with "~/<relative-path-to-cert-file>".
string certPath = Server.MapPath("~/certs/mycert.pfx");

X509Certificate2 cert = GetCertificate(certPath, signatureBlob.Thumbprint);
...