Hello @Holt, Robin M ,
Have you tried to post this question in the Windows Containers-MSDN forum?
Maybe we get a faster response over there...
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We are building an ASP.NET application inside a Windows Docker container to be run as an Azure IoTEdge module. The module periodically gets a direct method callback from the cloud with an updated server certificates as a PKCS#12 .pfx file. The PFX file is password protected, contains the certificate chain as well as the private key. The certificate is signed by a new Intermediate CA certificate every year. We need the ASP.NET certificate presented at connection time to include those updated intermediate certificates. Using openssl s_client -host <ip> -port 443 -prexit -showcerts, we only see the device certificate.
After much confusing research, we believe we have narrowed it down to the Intermediate CA needs to be in our container's Intermediate CA X509 store. It appears the Current User store is adequate, but Local Machine appears to work as well. Here is the code we are currently using.
StoreName storeName = RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ? StoreName.CertificateAuthority : StoreName.Root;
using (var store = new X509Store(storeName, StoreLocation.CurrentUser))
{
store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadWrite);X509Certificate2Collection collection = new X509Certificate2Collection();
collection.Import(currentWebServerCertificateFilename, currentWebServerCertificatePassword, X509KeyStorageFlags.X509KeyStorageFlags.DefaultKeySet);
foreach (var cert in collection)
{
if (cert.Thumbprint == myCert.Thumbprint) { continue; }if (store.Certificates.Contains(cert)) { continue; }
store.Add(cert);
}
}
When we push this container image out. We see the following in the logs
Unhandled exception. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Access is denied.
at Internal.Cryptography.Pal.StorePal.Add(ICertificatePal certificate)
at System.Security.Cryptography.X509Certificates.X509Store.Add(X509Certificate2 certificate)
at Daikin.SystemManager.WebService.Program.addIntermediateCertificateToStore(X509Certificate2 myCert) in C:\src\DaikinSystemManagerWebService\Program.cs:line 134
at Daikin.SystemManager.WebService.Program.getWebServerCertificate() in C:\src\DaikinSystemManagerWebService\Program.cs:line 100
at Daikin.SystemManager.WebService.Program.CreateHostBuilder(String[] args) in C:\src\DaikinSystemManagerWebService\Program.cs:line 38
at Daikin.SystemManager.WebService.Program.Main(String[] args) in C:\src\DaikinSystemManagerWebService\Program.cs:line 26
This question was also asked at StackOverflow 12195361
Hello @Holt, Robin M ,
Have you tried to post this question in the Windows Containers-MSDN forum?
Maybe we get a faster response over there...