使用ARM（不適用於ssl）將PFX證書添加到Azure WebApp

Question

使用由Azure資源管理器支持的Rest Management APIS，以下代碼將keyvault的證書添加到ARM。

var secret = keyvaultClient.GetSecretAsync(vaultUri, options.CertificateName).GetAwaiter().GetResult(); 

var certUploaded = client.Certificates.CreateOrUpdateCertificateWithHttpMessagesAsync(
    options.ResourceGroupName, options.CertificateName, 
    new Certificate { 
     PfxBlob = secret.Value, 
     Location = app.Body.Location 
    }).GetAwaiter().GetResult(); 

var appSettings = client.Sites.ListSiteAppSettingsWithHttpMessagesAsync(options.ResourceGroupName, options.WebAppName).GetAwaiter().GetResult(); 
var existing = (appSettings.Body.Properties["WEBSITE_LOAD_CERTIFICATES"] ?? "").Split(',').ToList(); 
if (!existing.Contains(certUploaded.Body.Thumbprint)) 
    existing.Add(certUploaded.Body.Thumbprint); 

appSettings.Body.Properties["WEBSITE_LOAD_CERTIFICATES"] = string.Join(",",existing); 
appSettings.Body.Properties[$"CN_{options.CertificateName}"] = certUploaded.Body.Thumbprint; 

var result = client.Sites.UpdateSiteAppSettingsWithHttpMessagesAsync(options.ResourceGroupName, options.WebAppName, appSettings.Body).GetAwaiter().GetResult(); 

的問題是，在webapp

 X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); 
     certStore.Open(OpenFlags.ReadOnly); 
     X509Certificate2Collection certCollection = certStore.Certificates.Find(
            X509FindType.FindByThumbprint, 
          // Replace below with your cert's thumbprint 
          "0CE28C6246317AEB00B88C88934700865C71CBE0", 
            false); 

     Trace.TraceError($"{certCollection.Count}"); 
     Console.WriteLine($"{certCollection.Count}"); 
     // Get the first cert with the thumbprint 
     if (certCollection.Count > 0) 
     { 
      X509Certificate2 cert = certCollection[0]; 
      // Use certificate 
      Console.WriteLine(cert.FriendlyName); 
     } 
     certStore.Close(); 

加載時，它沒有被加載。

如果我使用門戶上傳它，一切都按預期工作。

我也注意到，在門戶網站上傳的證書不存在ARM，只能用代碼加入後開始的證書存在：

那麼，我們需要是否向webapp提供不涉及手動上傳到門戶的證書？

Answer 1

問題是應該將證書添加到webapp託管的serverfarm的資源組中，而不是webapp的資源組。

更改代碼以部署到正確的資源組解決了所有問題。

僅供參考我的更新的代碼是在這裏：

var vaultUri = $"https://{options.VaultName}.vault.azure.net"; 
var keyvaultClient = new KeyVaultClient((_, b, c) => Task.FromResult(options.VaultAccessToken)); 

using (var client = new WebSiteManagementClient(
    new TokenCredentials(cred.AccessToken))) 
{ 
    client.SubscriptionId = cred.SubscriptionId; 

    var app = client.Sites.GetSite(options.ResourceGroupName, options.WebAppName); 
    var serverFarmRG = Regex.Match(app.ServerFarmId, "resourceGroups/(.*?)/").Groups[1]; 

    var secret = keyvaultClient.GetSecretAsync(vaultUri, options.CertificateName).GetAwaiter().GetResult(); 

    var certUploaded = client.Certificates.CreateOrUpdateCertificate(
     serverFarmRG.Value, options.CertificateName, 
     new Certificate 
     { 
      PfxBlob = secret.Value, 
      Location = app.Location 
     }); 

    var appSettings = client.Sites.ListSiteAppSettings(options.ResourceGroupName, options.WebAppName); 
    appSettings.Properties["WEBSITE_LOAD_CERTIFICATES"] = string.Join(",", client.Certificates.GetCertificates(serverFarmRG.Value).Value.Select(k => k.Thumbprint)); 
    appSettings.Properties[$"CN_{options.CertificateName}"] = certUploaded.Thumbprint; 

    var result = client.Sites.UpdateSiteAppSettings(options.ResourceGroupName, options.WebAppName, appSettings);