How to dynamically load certificates in azure app services for irdentity server

When you're using app services you have the advantage that a lot of the hosting is being taken care of for you. This has a lot of advantages but also a part of disadvantages. One of the (dis)advantages is that the certificate of your domain is created by Azure itself.

If however you like to use that certificate to sign your identity server (not recommended) or api you need to jump through some hoops.

Step 1:
You need to enable your certificate to be exposed to the app service. Azure's documentation here is spot on ;

In the Azure portal, from the left menu, select App Services > <app-name>.From the left navigation of your app, select TLS/SSL settings, then select Private Key Certificates (.pfx) or Public Key Certificates (.cer).Find the certificate you want to use and copy the thumbprint.Copy the certificate thumbprint

Copy the certificate thumbprint

Step 2:

If you use windows as OS in the app service you can just use the ealrier mentioned documentation. If the certificate expires you adapt the thumbprint and everythings takes over. If you're using linux however you need to mention the key in you config file and thus adapting the settings of your app service and your config file. But there is some trick to load the certificate also in your code.

a couple of remarks before using the example below;

  • The code assumes you expose only 1 fingerprint
  • Note that the signin credential is different for the API than for the identity server (not recommneded for prod)

The first 2 lines in the code example read the file. The double signin credential lines are for the api service and the identity services. Those lines of code should be part of your startup.cs

                var bytes = File.ReadAllBytes("/var/ssl/private/" + Environment.GetEnvironmentVariable("WEBSITE_LOAD_CERTIFICATES") + ".p12");
                var cert = new X509Certificate2(bytes);
           .AddApiAuthorization<ApplicationUser, ApplicationDbContext>(options =>
               options.SigningCredential = new X509SigningCredentials(cert);









30 Jul 2022 - Jan

You need to be authorized to react
An error has occurred. This application may no longer respond until reloaded. Reload 🗙