When we create a Blazor WebAssembly project with Default Authentication, it is configured with IdentityServer4 (IS4). If we upload our newly created project to production (Azure App Service, in my case), we will encounter the error:
HTTP ERROR 500.30 – ANCM IN-PROCESS START FAILURE
Which doesn’t tell us much. We can see the detail of the error using the Azure console. In which case we will see that the error is:
“Key type was not specified”
Which means that we have not defined the mechanism which IS4 will use to sign and perform token validations. Locally, in development, we use the Development value for the type value of the key, which causes temporary credentials to be created in memory. The problem with this is that since the credentials are in memory, they could be recycled in the future, which would cause the validity of all the tokens issued so far to be lost. This is unacceptable in production.
The solution for this is to use another mechanism, like a certificate, for production environments.
Origin of the Problem
In the development environment, we use the value “Development” for the type of the key. We can see this in the appsettings.development.json:
However, if we go to the appsettings.json file (the one we use in production), we won’t have this defined. In total, there are 3 type values available:
- Development: For development.
- File: If we want to use a private key certificate (.pfx extension) located on the hard drive
- Store: If we want to take the private key certificate in the store
We will use the Store option, so we will take the certificate from there. What certificate? Well, we can use a self-signed one in this case, since its use will be internal to our app.
Generating a Self-Signed Certificate
It is straightforward and free to generate a self-signed certificate. In Windows 10 we can do it as follows:
- Open PowerShell as administrator
- Run the following command:
New-SelfSignedCertificate -Subject “CN=NameOfTheCertificate” -CertStoreLocation “cert:\LocalMachine\My”
Now, what we have to do is obtain the private key certificate file to be able to upload it to Azure:
- Press the windows key
- Type Manage Computer Certificates and press Enter
- Go to Personal (on the left), then Certificates
- Double-click on the certificate you created
- Go to Details
- Press the button “Copy to File …”
- Click Next
- Click on “Yes, export the private key”, then Next
- Click Next
- Click on Password, and enter a password (write down the password, we will need it)
- In Encryption, select TripleDESH-SHA1, click Next
- Select where you want to export your certificate, next and Finish
Note: For some reason, I have not been able to successfully upload a certificate that uses SHA256, I always get an error loading Azure App Service. I don’t know if it’s a bug in azure.
We already have the private key certificate which we will upload to Azure.
Uploading the Certificate to Azure
To upload the newly created certificate we will do the following:
- Go to your Azure App Service
- Go to TLS / SSL settings
- Click on Private Key Certificates (.pfx)
- Click on Upload Certificate
- Select the pfx file you created
- Insert the password that we used in the previous section
- Click on Upload
We need to give Azure App Service permission to use the newly uploaded certificate. For that:
- Go to Configuration in the menu of your Azure App Service
- Click on New application setting
- In Name, put: WEBSITE_LOAD_CERTIFICATES
- In Value, put the Thumbprint that you copied from the previous section.
- Click Ok, and don’t forget to click Save
Configuring the Project
Finally, we must configure our application to use the certificate. You can do this in the following way:
- In your Server project, go to appsettings.json
- Put the following code inside the IdentityServer section:
Where it says “SUBJECT_NAME” you must change it to the Subject Name that you saved earlier (you must keep the CN=).
Make a deployment of the app, and voila. Your error must have disappeared and your users can register and log in to your app.
If you want to learn more about Blazor, get my Udemy bestseller course today: https://www.udemy.com/course/programming-in-blazor-aspnet-core/?referralCode=8EFA9D9FF38E3065DF0C
If you want to learn more about building Web APIs with ASP.NET Core, buy my course today: https://www.udemy.com/course/building-restful-web-apis-with-aspnet-core/?referralCode=DAFD27F4028D04B62181
- We can use a certificate to correct the problem we experience when publishing a Blazor app with IdentityServer4 in production
- With a self-signed certificate we have a free solution to this problem.