Azure Function Apps and Security Certificates

How to store and use certificates inside Azure Function Apps

Storing and using certificates in Azure Function Apps involves several steps, including uploading the certificate, accessing it within your function, and using it for secure communications or authentication. 

The certificate is stored into a key vault. This has two advantages:

• Far more secure to store the certificate in a Key Vault than to upload it on the storage associated to the Function App.
• Can use lifecycle of certificates from Azure Key Vault: validity date and automatic alerts when reaching this date.

Below is a step-by-step guide on how to do this.

Step 1: 

Create Certificate

Create a Certificate: If you don’t already have a certificate, you can create one using tools like OpenSSL or use a certificate from a trusted Certificate Authority (CA).

Convert to PFX Format: Azure Functions require certificates to be in PFX format. If your certificate is in another format (like PEM), you can convert it using OpenSSL:

openssl pkcs12 -export -out mycert.pfx -inkey mykey.key -in mycert.crt

Upload Certificate to Azure Key Vault

Go to Azure Portal–> Azure Key Vault –> Select an existing key vault (if you dont have create new key vault) –> Select Certificates and then ‘Generate/Import’

Select the certificate. It should be in .pfx format

Fill the password and provide a name for this certificate in the Key Vault.

Once the certificate is successfully imported, you must see the certificate in the list with its Thumbprint value.

Upload to Azure Function App

Navigate to your Azure Function App in the Azure Portal.

Under the Settings section, click Certificates

Click on tab Bring your own certificates (.pfx). Click Add Certificate.

In the drop-down menu, select ‘Import from Key Vault’. Select your Subscription and Key Vault where you have uploaded your certificate. Select the certificate which you want to use.

You can accept the generated Certificate friendly name or you can give your own name . Then click on Validate.

Once the certificate is validated then click on Add. The certificate can be seen in Bring your own certificate (.pfx) tab. Note down its Thumbprint value

Step 2:

Access the Certificate in Function App Code

Before you move ahead, you need to make sure Azure Function App should have access to read Certificate from Key Vault.

To do this, enable System Identity of Function App and copy its Object ID.

Go to the Key Vault and open the Access Policies. Click Create

Add the permissions Get, List, Get Certificate Authorities and List Certificate Authorities for the Certificates. Click Next.

In Principal Tab, paste the Function App Object ID copied above and select your function app. Click Next and then Click Create.

The permission will be visible in the list of Access Policies of the Key Vault.

Once the certificate is uploaded, you must add the certificate thumbprint value in App Settings of Function Apps. 

To do above, go to the Function App and Click Environment variables. Click on App Settings tab.

Add a parameter to be used to reference this certificate. In this article we are giving name “TestPfxThumbprint” and in value paste the Certificate Thumbprint value.

You can now access your certificate inside your Azure Function code. Here’s how to do it using C#

using System.IO;
using System.Security.Cryptography.X509Certificates;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Extensions.Http;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Logging;

public static class TestCertificate
{
    [FunctionName("TestCertificate")]
    public static IActionResult Run(
        [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,
        ILogger log)
    {
        // Get the value of thumbprint from AppSettings
        string certThumbprint= Environment.GetEnvironmentVariable("TestPfxThumbprint");

        var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
        store.Open(OpenFlags.ReadOnly);
        
//To retrieve and use the certificate
        var certs = store.Certificates.Find(X509FindType.FindByThumbprint, certThumbprint, false);
        if (certs.Count > 0)
        {
            var cert = certs[0];
            // Use the certificate (e.g., for HTTPS client, signing, etc.)
        }
        else
        {
            log.LogError("Certificate not found.");
            return new NotFoundResult();
        }
        
        return new OkResult();
    }
}

Testing:

When you want to test this code locally from your Visual Studio, install the certificate on your own machine.