azure.net-8.0x509certificate2openiddictcryptographicexception

OpenIddict Certificates - System.Security.Cryptography.CryptographicException: Bad Data


I have an API Web Application hosted in azure (free tier) using OpenIddict for authorization.

I am in the process of trying to setup OpenIddict in the hosted environment to use 2 self signed certificates for both

AddEncryptionCertificate()
AddSigningCertificate()

But all of my efforts so far have resulted in unpredictable behaviour and various Cryptographic exceptions. (Access Denied, KeySet not found)

My current attempt at this involves generating 2 certificate files (.ptx) using SelfCert, and storing them as EmbeddedResources in my API.

I am then setting these as the certificate values for OpenIddict;

options.AddEncryptionCertificate(typeof(IdentityServiceCollectionExtensions).Assembly, "Namespace.certificateName", "password");
options.AddSigningCertificate(typeof(IdentityServiceCollectionExtensions).Assembly, "Namespace.certificateName", "password");

Which seemingly always results in the following exception

Unhandled exception. System.Security.Cryptography.CryptographicException: Bad Data.

I am confident the certificates themselves are okay, under the hood these overload methods are setting the storageFlag to

X509KeyStorageFlags.EphemeralKeySet

Which i'm confident is the consistent element here and is causing the error to throw. I'm curious if anyone has encountered this before or has insight as to why this error is being thrown?


Solution

  • After a lot of research and testing, I've come to the conclusion that this is a property of the Azure shared tier (F1) and it's hostile nature.

    I had some left over credit from my trial period so I switched my app service to the basic plan, and this started working without issue.

    I'm going to explore other hosting options as the Azure B1 tier is incredibly expensive for my use case, but leaving this here for anyones future reference.

    Reference to my findings here