I'm trying to create an Azure Function that will call a SOAP API that requires the use of a certificate. I have a .PFX certificate (saved as base64) and the matching password. Both are saved in Azure Key Vault as secrets, and I validated that they're retrieved just fine.
In my Azure Function (.NET Core 3.1), I'm creating a X509Certificate2 object with the follow constructor:
certificate = new X509Certificate2(certBytes, pass, X509KeyStorageFlags.MachineKeySet);
The X509KeyStorageFlags used here was suggested by several other answered questions here.
The result of this constructor is always the following error:
The specified network password is not correct.
I've attempted to perform the same action locally, and here the certificate is loaded correctly and I can get info on the issuer, etc.
Other storage flags, like MachineKeySet + PersistKeySet + Exportable did not make a difference, and loading the PFX not as base64 but as a file gives the same error.
Does anyone know why this code behaves differently in an Azure Function compared to running it locally?
Azure Functions don't have a user profile loaded, so there's nowhere to save the private key. Or, for just MachineKeySet it's probably that you don't have admin rights, so you can't create the private key file... and somehow that error is getting misinterpreted.
You might have luck with the EphemeralKeySet flag, since that says "don't save the key to disk", which should avoid the problem. If that doesn't do it, try EphemeralKeySet | MachineKeySet, which might avoid "there's no profile" and also the lack of permissions (since it never actually tries creating a file).