Blazor: Using a Self-Signed Certificate for IdentityServer4 in Azure App Service

When we create a Blazor WebAssembly project with Default Authentication, it is configured with IdentityServer4 (IS4). If we upload our newly created project to production (Azure App Service, in my case), we will encounter the error:

HTTP ERROR 500.30 – ANCM IN-PROCESS START FAILURE

Which doesn’t tell us much. We can see the detail of the error using the Azure console. In which case we will see that the error is:

“Key type was not specified”

Which means that we have not defined the mechanism which IS4 will use to sign and perform token validations. Locally, in development, we use the Development value for the type value of the key, which causes temporary credentials to be created in memory. The problem with this is that since the credentials are in memory, they could be recycled in the future, which would cause the validity of all the tokens issued so far to be lost. This is unacceptable in production.

The solution for this is to use another mechanism, like a certificate, for production environments.

Origin of the Problem

In the development environment, we use the value “Development” for the type of the key. We can see this in the appsettings.development.json:

"IdentityServer": {
"Key": {
"Type": "Development"
}
}

However, if we go to the appsettings.json file (the one we use in production), we won’t have this defined. In total, there are 3 type values available:

  1. Development: For development.
  2. File: If we want to use a private key certificate (.pfx extension) located on the hard drive
  3. Store: If we want to take the private key certificate in the store

We will use the Store option, so we will take the certificate from there. What certificate? Well, we can use a self-signed one in this case, since its use will be internal to our app.

Generating a Self-Signed Certificate

It is straightforward and free to generate a self-signed certificate. In Windows 10 we can do it as follows:

  1. Open PowerShell as administrator
  2. Run the following command:

New-SelfSignedCertificate -Subject “CN=NameOfTheCertificate” -CertStoreLocation “cert:\LocalMachine\My”

Now, what we have to do is obtain the private key certificate file to be able to upload it to Azure:

  1. Press the windows key
  2. Type Manage Computer Certificates and press Enter
  3. Go to Personal (on the left), then Certificates
  4. Double-click on the certificate you created
  5. Go to Details
  6. Press the button “Copy to File …”
  7. Click Next
  8. Click on “Yes, export the private key”, then Next
  9. Click Next
  10. Click on Password, and enter a password (write down the password, we will need it)
  11. In Encryption, select TripleDESH-SHA1, click Next
  12. Select where you want to export your certificate, next and Finish

Note: For some reason, I have not been able to successfully upload a certificate that uses SHA256, I always get an error loading Azure App Service. I don’t know if it’s a bug in azure.

We already have the private key certificate which we will upload to Azure.

certificado1

Uploading the Certificate to Azure

To upload the newly created certificate we will do the following:

  1. Go to your Azure App Service
  2. Go to TLS / SSL settings
  3. Click on Private Key Certificates (.pfx)
  4. Click on Upload Certificate
  5. Select the pfx file you created
  6. Insert the password that we used in the previous section
  7. Click on Upload
If the upload is successful, you should see the certificate on the screen. If you click on it, you will see its details. We will need two of these fields, the Thumbprint and the Subject Name. Save both, because we will need them.
certificado2

Permissions

We need to give Azure App Service permission to use the newly uploaded certificate. For that:

  1. Go to Configuration in the menu of your Azure App Service
  2. Click on New application setting
  3. In Name, put: WEBSITE_LOAD_CERTIFICATES
  4. In Value, put the Thumbprint that you copied from the previous section.
  5. Click Ok, and don’t forget to click Save

Configuring the Project

Finally, we must configure our application to use the certificate. You can do this in the following way:

  1. In your Server project, go to appsettings.json
  2. Put the following code inside the IdentityServer section:

"Key": {
"Type": "Store",
"StoreName": "My",
"StoreLocation": "CurrentUser",
"Name": "CN=SUBJECT_NAME"
}
view raw appsettings.json hosted with ❤ by GitHub

Where it says “SUBJECT_NAME” you must change it to the Subject Name that you saved earlier (you must keep the CN=).

Make a deployment of the app, and voila. Your error must have disappeared and your users can register and log in to your app.

Courses

If you want to learn more about Blazor, get my Udemy bestseller course today: https://www.udemy.com/course/programming-in-blazor-aspnet-core/?referralCode=8EFA9D9FF38E3065DF0C

If you want to learn more about building Web APIs with ASP.NET Core, buy my course today: https://www.udemy.com/course/building-restful-web-apis-with-aspnet-core/?referralCode=DAFD27F4028D04B62181

Conclusion

  • We can use a certificate to correct the problem we experience when publishing a Blazor app with IdentityServer4 in production
  • With a self-signed certificate we have a free solution to this problem.

Regards!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s