Hello

TL;DR; I'm looking for assistence using multiple certificates for authentication of webrequests against an external API form the DXC encironemnts. 

I'm working with an external API that requiers multiple certificats for authentication when making requests. (Swish Paymetns)

My code works well in local environemnt, and it works under certain conditions in DXC Integration and PreProduction.

This is an example from the integration guide for the API to test for successfull connection. Users are provided one personal cert as well as the root cert .pem file.

curl -s -S -i --cert <path-to-certificate-file>:<password> --cert-type
p12 --cacert <path-to-rootCA-pem-file> --tlsv1.1 --header "Content-Type:
application/json" <endpoint-url> --data '<json-formatted-data>'

In my application, my first approach was to install the certificats on my local machine, as well as in the Azure Web App Certificate Store. I then used thumbprints to find and load the certificates. This worked well, and I deployed the code to the DXC and verified my integration. But at my next deploy of code, the public certificates had been removed from the Azure Certificate Store! Through Epi Support, I learned that this is intentional from Microsoft when new slots are copied, as is being done in DXC-deployment scripts. So, the certificats would have to be uploaded again after each deploy which is not a long term solution...

Microsoft suggested placing the public parts of the certificates in the file system, and reading them from there. 

I adjusted my code, and for good measure placed both .pfx and .pem fil in the wwwroot, and read the certificates directly from file, ignoring the Azure Certificate Store.

In my local setup, this works well, and when uploading to DXC, it works, BUT only when the public certificates are still in the Azure Certificate Store.... (WHAT!?)

So, even when both certificates are read from file, if they are missing from the Certificate Store, the requests still fails.

I'm looking for input in using client certificates for authenticating requests to an external API in the DXC.

Below is my code to read the certificate from file. This is called twice, once for each certificate. 

       private static X509Certificate2 GetClientCertFromFile(string certName, string password = "")
        {
            byte[] certFile = new byte[0];

            string rootPath = String.Empty;
            try
            {
                rootPath = HttpContext.Current.Server.MapPath("~");
                string certificatePath = $"{rootPath}\\Assets\\Certificates\\{certName}";
                certFile = File.ReadAllBytes(certificatePath);
            }
            catch (Exception e)
            {
                Logger.Error(e.Message, e);
            }

            X509Certificate2 cert = new X509Certificate2();
            if (string.IsNullOrWhiteSpace(password))
            {
                cert.Import(certFile);

            }
            else
            {
                cert.Import(certFile, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
            }
            return cert;
        }

Best regards,

Ludvig