Skip to content

Loading a TLS certificate uploaded to the Azure portal into a Linux app service container

For some time we’ve had an ASP.NET Core web app running on an Azure App Service. As part of upgrading to netcoreapp2.2 we’ve decided to Dockerize it and run it on a Linux container, still in an app service.

One thing this app does is load in a TLS certificate for token signing. Previously this certificate was uploaded to the app service and the application would find it by thumbprint in a new X509Store(StoreName.My, StoreLocation.CurrentUser). This could be enabled by adding a configuration setting WEBSITE_LOAD_CERTIFICATES with value set to the certificate’s thumbprint.

Having tried the same approach with a Linux container we’re finding the certificate doesn’t exist in the certificate store.

I found this issue on Github from earlier this year which suggests it’s just not possible on Linux. Is this still the case? If so, does anyone know a work-around which doesn’t involve storing the certificate itself in the image?



The feature now works on Linux.

Load certificate in Linux apps

The WEBSITE_LOAD_CERTIFICATES app settings makes the specified certificates accessible to your Linux hosted apps (including custom container apps) as files. The files are found under the following directories:

  • Private certificates – /var/ssl/private ( .p12 files)
  • Public certificates – /var/ssl/certs ( .der files)

The certificate file names are the certificate thumbprints. The following C# code shows how to load a public certificate in a Linux app.

using System;
using System.Security.Cryptography.X509Certificates;
var bytes = System.IO.File.ReadAllBytes("/var/ssl/certs/<thumbprint>.der");
var cert = new X509Certificate2(bytes);
User contributions licensed under: CC BY-SA
7 People found this is helpful