What Root Certificates exist on an Azure App Service, CA Root

As you may already know SSL/TLS is offloaded on the Front Ends (*) and this is where certificate root chains are validated (AFAIK). There is no way for you to access those machines to dump out what CAs are there. The next, or closest thing I can think of is to dump them out via the KUDU PowerShell console. I discuss KUDU here.

After you login to KUDU, open the PowerShell console, as illustrated in Figure 1.

Figure 1, what CAs exist on Azure App Services

Execute this PowerShell cmdlet which dumps out the Certificate Store Names, see Figure 2.

DIR CERT:\LocalMachine | select NAME

Figure 2, what certificates exist on an Azure App Service

Then if I want to look at the Authorized Root Certificates, I execute this PowerShell cmdlet, see Figure 3.

Figure 3, what Authorized Root Certificates exist on an Azure App Service

I would expect the output seen in Figure 3 to be the same as if you were to start CERTMGR -> add the Local Computer store and navigate to Trusted Root Certificate Authorities -> Certificates, as seen in Figure 4.

You cannot add Root Certificates to an App Service. You can add intermediate certificates, see here.

Like I mentioned at the beginning, this is what you would see on the App Service machine that is running your application, it is not the place where you would expect to see your SSL/TLS certificate. Those are installed an configured on the Front End, see here.

Also, you can install public certificates on Azure App Service now. See here “App Service Certificates now supports public certificates (.cer)”.

Not that you only have access to store into CurrentUser\My certificate store which can then be retrieved via code on an Azure App Service like the following:

var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

*NOTE: If you are going to do some work with certificates on the Azure platfom, seriously consider Azure Key Vault. Read about that here and here “Get started with Azure Key Vault certificates”.

Check out some of my other security and certificate related posts:

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

The Best C# Programmer In The World - Benjamin Perkins

articles about C# and numerous other technologies