使用ARM（而不是ssl）将PFX证书添加到Azure WebApp

Question

使用由Azure Resource Manager支持的Rest Management APIS，以下代码将keyvault的证书添加到ARM。

var secret = keyvaultClient.GetSecretAsync(vaultUri, options.CertificateName).GetAwaiter().GetResult();

var certUploaded = client.Certificates.CreateOrUpdateCertificateWithHttpMessagesAsync(
    options.ResourceGroupName, options.CertificateName,
    new Certificate {
        PfxBlob = secret.Value,
        Location = app.Body.Location
    }).GetAwaiter().GetResult();

var appSettings = client.Sites.ListSiteAppSettingsWithHttpMessagesAsync(options.ResourceGroupName, options.WebAppName).GetAwaiter().GetResult();
var existing = (appSettings.Body.Properties["WEBSITE_LOAD_CERTIFICATES"] ?? "").Split(',').ToList();
if (!existing.Contains(certUploaded.Body.Thumbprint))
    existing.Add(certUploaded.Body.Thumbprint);

appSettings.Body.Properties["WEBSITE_LOAD_CERTIFICATES"] = string.Join(",",existing);
appSettings.Body.Properties[$"CN_{options.CertificateName}"] = certUploaded.Body.Thumbprint;

var result = client.Sites.UpdateSiteAppSettingsWithHttpMessagesAsync(options.ResourceGroupName, options.WebAppName, appSettings.Body).GetAwaiter().GetResult();

问题是在webapp中加载时

        X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
        certStore.Open(OpenFlags.ReadOnly);
        X509Certificate2Collection certCollection = certStore.Certificates.Find(
                                   X509FindType.FindByThumbprint,
                             // Replace below with your cert's thumbprint
                             "0CE28C6246317AEB00B88C88934700865C71CBE0",
                                   false);

        Trace.TraceError($"{certCollection.Count}");
        Console.WriteLine($"{certCollection.Count}");
        // Get the first cert with the thumbprint
        if (certCollection.Count > 0)
        {
            X509Certificate2 cert = certCollection[0];
            // Use certificate
            Console.WriteLine(cert.FriendlyName);
        }
        certStore.Close();

没有加载。

如果我使用门户网站上传它，一切都按预期工作。

我还注意到在门户中上传的证书在ARM中不存在，只有在帖子开头添加了代码的证书才存在：

那么我们需要做些什么来为不涉及手动上传到门户网站的webapp提供证书？

Answer 1

问题是证书应该添加到webapp托管在其中的serverfarm的资源组中，而不是webapp的资源组。

更改代码以部署到正确的资源组解决了所有问题。

作为参考，我的更新代码在这里：

var vaultUri = $"https://{options.VaultName}.vault.azure.net";
var keyvaultClient = new KeyVaultClient((_, b, c) => Task.FromResult(options.VaultAccessToken));

using (var client = new WebSiteManagementClient(
    new TokenCredentials(cred.AccessToken)))
{
    client.SubscriptionId = cred.SubscriptionId;

    var app = client.Sites.GetSite(options.ResourceGroupName, options.WebAppName);
    var serverFarmRG = Regex.Match(app.ServerFarmId, "resourceGroups/(.*?)/").Groups[1];

    var secret = keyvaultClient.GetSecretAsync(vaultUri, options.CertificateName).GetAwaiter().GetResult();

    var certUploaded = client.Certificates.CreateOrUpdateCertificate(
        serverFarmRG.Value, options.CertificateName,
        new Certificate
        {
            PfxBlob = secret.Value,
            Location = app.Location
        });

    var appSettings = client.Sites.ListSiteAppSettings(options.ResourceGroupName, options.WebAppName);
    appSettings.Properties["WEBSITE_LOAD_CERTIFICATES"] = string.Join(",", client.Certificates.GetCertificates(serverFarmRG.Value).Value.Select(k => k.Thumbprint));
    appSettings.Properties[$"CN_{options.CertificateName}"] = certUploaded.Thumbprint;

    var result = client.Sites.UpdateSiteAppSettings(options.ResourceGroupName, options.WebAppName, appSettings);