Export SSL Certificate from Azure Web App

You can upload a pfx certificate into your Azure Web App. After you uploaded the certificate, if you open the context menu of the imported certificate, you will see the only available option is Delete. But how you can export the cer file to be used on clients?

There is a specific application settings called WEBSITE_LOAD_CERTIFICATES, which allows the application to load certificates. You can set the value of this setting to:

  • * to load all certificates.
  • Thumbprint of a specific certificate to load that certificate.
  • Comma separated list of Thumprints, to load certificates by those thumbprints.

After setting the application to load certificates, you can use either of the following options to export cer certificate from uploaded pfx:

  • Using PowerShell debug console on Kudu tool for the same app
  • Using code in the same web app

Using PowerShell debug console on Kudu

The first step is setting WEBSITE_LOAD_CERTIFICATES to * or to the thumbprint of the specific certificate which you are going to load. To find the thumbprint, you can go to the Web App in azure portal and in the SSL Certificates section in the list of uploaded certificates you can see the thumbprint of the certificate.

The next step is opening Kudu. To do so, if the address of your web app is https://xxxxxx.azurewebsites.net, then the address of Kudu will be https://xxxxxx.scm.azurewebsites.net. Or from the web app blade in azure portal, you can open Advanced Tools and click on Go → link.

In kudu, from the menu, open Debug Console > PowerShell.

To get a list of certificates loaded in current user store:

Get-ChildItem -Path Cert:\currentuser\my

Or to load a specific certificate using the thumprint:

Get-ChildItem -Path Cert:\currentuser\my\DD604F955DEFF199F51162AA9655341CAF9EB64D

Then as a result you can see a list of loaded certificates:

enter image description here

So, you can use some PowerShell cmdlets to export the certificate:

Get-ChildItem -Path Cert:\currentuser\my | 
    Select-Object -first 1 | 
    Export-Certificate -FilePath D:\home\site\wwwroot\user.cer -Force

Then you can go to the specified path and download the cer file.

Using code in the same web app

As mentioned above, first step is setting WEBSITE_LOAD_CERTIFICATES to * or to the thumbprint of the specific certificate which you are going to load.

Then you can use X509Certificate2 to load the certificate and then using its Export method, you can export the cer format.

For example for an ASP.NET MVC application, you can have such action:

public ActionResult Download()
{
    var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
    store.Open(OpenFlags.ReadOnly);
    var certificates = store.Certificates.Find(X509FindType.FindByThumbprint, 
        "DD604F955DEFF199F51162AA9655341CAF9EB64D", false);
    var cer = certificates.Cast<X509Certificate2>().FirstOrDefault();
    return File(cer.Export(X509ContentType.Cert, "Password of the certificate"),
        "application/octet-stream", "certificate.cer");
}

Or you can use a aspx file having this code:

<%@ Page Language="C#" AutoEventWireup="true" Inherits="System.Web.UI.Page" %>

<%@ Import Namespace="System.Security.Cryptography.X509Certificates" %>
<script language="c#" runat="server">
    public void Page_Load(object sender, EventArgs e)
    {
        var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
        store.Open(OpenFlags.ReadOnly);
        var certificates = store.Certificates;
        var cer = certificates.Cast<X509Certificate2>().FirstOrDefault();
        var buffer = cer.Export(X509ContentType.Cert);
        Response.ContentType = "application/octet-stream";
        Response.OutputStream.Write(buffer, 0, buffer.Length);
        Response.AddHeader("Content-Disposition", "attachment;filename=certificate.cer");
    }
</script>

You May Also Like

About the Author: Reza Aghaei

I’ve been a .NET developer since 2004. During these years, as a developer, technical lead and architect, I’ve helped organizations and development teams in design and development of different kind of applications including LOB applications, Web and Windows application frameworks and RAD tools. As a teacher and mentor, I’ve trained tens of developers in C#, ASP.NET MVC and Windows Forms. As an interviewer I’ve helped organizations to assess and hire tens of qualified developers. I really enjoy learning new things, problem solving, knowledge sharing and helping other developers. I'm usually active in .NET related tags in stackoverflow to answer community questions. I also share technical blog posts in my blog as well as sharing sample codes in GitHub.

Leave a Reply

Your email address will not be published. Required fields are marked *