You can upload a pfx certificate into your Azure Web App. After you uploaded the certificate, if you open the context menu of the imported certificate, you will see the only available option is Delete. But how you can export the cer file to be used on clients?

There is a specific application settings called WEBSITE_LOAD_CERTIFICATES, which allows the application to load certificates. You can set the value of this setting to:

• * to load all certificates.
• Thumbprint of a specific certificate to load that certificate.
• Comma separated list of Thumprints, to load certificates by those thumbprints.

After setting the application to load certificates, you can use either of the following options to export cer certificate from uploaded pfx:

• Using PowerShell debug console on Kudu tool for the same app
• Using code in the same web app

Using PowerShell debug console on Kudu

The first step is setting WEBSITE_LOAD_CERTIFICATES to * or to the thumbprint of the specific certificate which you are going to load. To find the thumbprint, you can go to the Web App in azure portal and in the SSL Certificates section in the list of uploaded certificates you can see the thumbprint of the certificate.

The next step is opening Kudu. To do so, if the address of your web app is https://xxxxxx.azurewebsites.net, then the address of Kudu will be https://xxxxxx.scm.azurewebsites.net. Or from the web app blade in azure portal, you can open Advanced Tools and click on Go → link.

In kudu, from the menu, open Debug Console > PowerShell.

To get a list of certificates loaded in current user store:

Get-ChildItem -Path Cert:\currentuser\my

Or to load a specific certificate using the thumprint:

Get-ChildItem -Path Cert:\currentuser\my\DD604F955DEFF199F51162AA9655341CAF9EB64D

Then as a result you can see a list of loaded certificates:

So, you can use some PowerShell cmdlets to export the certificate:

Get-ChildItem -Path Cert:\currentuser\my | 
    Select-Object -first 1 | 
    Export-Certificate -FilePath D:\home\site\wwwroot\user.cer -Force

Then you can go to the specified path and download the cer file.

Using code in the same web app

As mentioned above, first step is setting WEBSITE_LOAD_CERTIFICATES to * or to the thumbprint of the specific certificate which you are going to load.

Then you can use X509Certificate2 to load the certificate and then using its Export method, you can export the cer format.

For example for an ASP.NET MVC application, you can have such action:

public ActionResult Download()
{
    var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
    store.Open(OpenFlags.ReadOnly);
    var certificates = store.Certificates.Find(X509FindType.FindByThumbprint, 
        "DD604F955DEFF199F51162AA9655341CAF9EB64D", false);
    var cer = certificates.Cast<X509Certificate2>().FirstOrDefault();
    return File(cer.Export(X509ContentType.Cert, "Password of the certificate"),
        "application/octet-stream", "certificate.cer");
}

Or you can use a aspx file having this code:

<%@ Page Language="C#" AutoEventWireup="true" Inherits="System.Web.UI.Page" %>

<%@ Import Namespace="System.Security.Cryptography.X509Certificates" %>
<script language="c#" runat="server">
    public void Page_Load(object sender, EventArgs e)
    {
        var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
        store.Open(OpenFlags.ReadOnly);
        var certificates = store.Certificates;
        var cer = certificates.Cast<X509Certificate2>().FirstOrDefault();
        var buffer = cer.Export(X509ContentType.Cert);
        Response.ContentType = "application/octet-stream";
        Response.OutputStream.Write(buffer, 0, buffer.Length);
        Response.AddHeader("Content-Disposition", "attachment;filename=certificate.cer");
    }
</script>