I need to authenticate requests to Azure Cloud Service Web Role using client certificates. How to put the Certification Authority (CA) root certificate in a right trusted store?
I tried to upload it in Management Portal and then defining it in service definition file with AuthRoot store name:
<Certificate name="RootCA" storeLocation="LocalMachine" storeName="AuthRoot" />
What’s really strange is that it works… but only sometimes. It may work after an instance reboot, but may not work after a service update or another instance reboot. It seems like a bug in Azure.
When I say “works” I mean server successfully accepts the client certificate and processes the request.
When I say “doesn’t work” I mean server doesn’t negotiate a connection after certificate checks and “The request was aborted: Could not create SSL/TLS secure channel.” exception is thrown on a client side.
How to make it working stable?
UPD:
Found this record in System Windows Event Log (source is Schannel):
When asking for client authentication, this server sends a list of
trusted certificate authorities to the client. The client uses this
list to choose a client certificate that is trusted by the server.
Currently, this server trusts so many certificate authorities that the
list has grown too long. This list has thus been truncated. The
administrator of this machine should review the certificate
authorities trusted for client authentication and remove those that do
not really need to be trusted.
The exact problem is described here: http://support.microsoft.com/kb/2801679.
After December 2012 Windows update a lot of certificates were added to AuthRoot store. So we have to remove them to solve the problem.
To make it I use PowerShell startup task:
To run it from CMD startup task:
And in ServiceDefinition.csdef: