Problem with Client Certificates in DXC for authentication against an external API



TL;DR; I'm looking for assistence using multiple certificates for authentication of webrequests against an external API form the DXC encironemnts. 

I'm working with an external API that requiers multiple certificats for authentication when making requests. (Swish Paymetns)

My code works well in local environemnt, and it works under certain conditions in DXC Integration and PreProduction.

This is an example from the integration guide for the API to test for successfull connection. Users are provided one personal cert as well as the root cert .pem file.

curl -s -S -i --cert <path-to-certificate-file>:<password> --cert-type
p12 --cacert <path-to-rootCA-pem-file> --tlsv1.1 --header "Content-Type:
application/json" <endpoint-url> --data '<json-formatted-data>'

In my application, my first approach was to install the certificats on my local machine, as well as in the Azure Web App Certificate Store. I then used thumbprints to find and load the certificates. This worked well, and I deployed the code to the DXC and verified my integration. But at my next deploy of code, the public certificates had been removed from the Azure Certificate Store! Through Epi Support, I learned that this is intentional from Microsoft when new slots are copied, as is being done in DXC-deployment scripts. So, the certificats would have to be uploaded again after each deploy which is not a long term solution...

Microsoft suggested placing the public parts of the certificates in the file system, and reading them from there. 

I adjusted my code, and for good measure placed both .pfx and .pem fil in the wwwroot, and read the certificates directly from file, ignoring the Azure Certificate Store.

In my local setup, this works well, and when uploading to DXC, it works, BUT only when the public certificates are still in the Azure Certificate Store.... (WHAT!?)

So, even when both certificates are read from file, if they are missing from the Certificate Store, the requests still fails.

I'm looking for input in using client certificates for authenticating requests to an external API in the DXC.

Below is my code to read the certificate from file. This is called twice, once for each certificate. 

       private static X509Certificate2 GetClientCertFromFile(string certName, string password = "")
            byte[] certFile = new byte[0];

            string rootPath = String.Empty;
                rootPath = HttpContext.Current.Server.MapPath("~");
                string certificatePath = $"{rootPath}\\Assets\\Certificates\\{certName}";
                certFile = File.ReadAllBytes(certificatePath);
            catch (Exception e)
                Logger.Error(e.Message, e);

            X509Certificate2 cert = new X509Certificate2();
            if (string.IsNullOrWhiteSpace(password))

                cert.Import(certFile, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
            return cert;

Best regards,


Aug 01, 2019 15:12

Hi Ludvig

Did you ever solve this issue? If so, could you please explain how you solved it.

Thanks in advance


Feb 05, 2020 9:19

Hello Fred! 

Unfortunately I didn't find a "good" solution to this issue. 

The end result was, as for many others, to host this service sepratly on a VM where I have full control over certificate management.

I'm still intreseted in finding a better setup, and if you find a more reasonable solution, I'm very interested in discussing it. 

Best regards,


Feb 05, 2020 10:19

Hi Ludvig

Have you tried storing the certificate in Azure KeyVault?

Feb 05, 2020 12:12
Hi everyone!
Thanks for bringing this to our attention, this definitely seems like something we need to support out of the box. As a first step, if we make sure we are able to persist the public certificates between deployments, I guess it would improve this situation significantly? (Requiring a manual upload by Managed Services once/when it needs to be updated though (until we can provide a better/more "self-service approach" for this))
If that makes sense, let me look into that and get back to you.
Feb 05, 2020 12:36

Hi Anders

That seems like best solution. For us it worked when the certificates where uploaded to public cert store but they were not persisted through deployements as you said.


Feb 05, 2020 12:41

Thanks for confirming that so quickly Fred! I'll make sure we look into this as soon as possible and report back here when we know more.

Feb 05, 2020 12:51

Looks like we've found a solution for making these certificates persistent, unless something unforseen happens we'll ship this within the next couple of weeks. I can confirm here when it's out!

Feb 06, 2020 8:34

We've now added support for persisting public certificates in the DXP deployment flow, so if you ask managed services to upload them to the web app it should hopefully work out of the box now.

Feb 17, 2020 12:32
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.