In this post, I will explain how you can load a certificate through code in Azure App Service for a Linux container. The steps to use a certificate in Azure App Service are already described in Microsoft documentation. However, I found a couple of gaps in the documentation specifically for Linux. Hence, I decided to write this post.
To follow along you would need an App Service for Linux hosted on Azure.
Why need a certificate
There are various reasons you may need to access a certificate in your code, like encryption/ decryption, authentication, authorization and so on. For example, Raven DB requires a private client certificate to allow access to the data store.
Step 1: Upload your certificate
You can upload the certificate in different ways, such as directly through the portal, Azure CLI or CI/CD pipeline.
Tip: Certificate, its thumbprint and passphrase key for a private certificate are sensitive information. DO NOT store them in your source control.
Step 2: Make your certificate accessible
To access your certificate, through code, you need to make it accessible by creating an app setting
WEBSITE_LOAD_CERTIFICATES should be set to comma-separated values of certificate thumbprints.
WEBSITE_LOAD_CERTIFICATES is a magic app setting that makes your certificates accessible to your application. For Linux container, it keeps the private certificates at the location
/var/ssl/private and public certificates at
You can view the certificates by logging into
Note: Azure App service accepts a certificate of .pfx and .cer formats only. It then exposes them as .p12 and .der formats respectively.
For a windows container, Azure App Service automatically exposes the certificate paths through environment variables such as
WEBSITE_PUBLIC_CERTS_PATH. Unfortunately, you either need to set the environment variables manually or hard code the certificate path in your code for a Linux container.
STEP 3: Accessing certificate in C# code
Finally, you can access certificate in your C# code as shown below:
Note: To load a private certificate (p12), you do not need to supply a passphrase/ password. I found it the hard way since the code snippet to load a private certificate was missing in the Microsoft documentation. I have raised a PR to fix this. At the time of writing the PR is still in review.
Leave a Reply