I am trying to use PushSharp to send a push notification to my app. I have two Apple accounts... one is a regular account, and the other is an Enterprise account. I have a developer certificate on the regular account that works, but both my development and distribution certificates fail to work from the Enterprise account. I get an Authentication Exception..
A call to SSPI failed, see inner exception.
Inner Exception:
[System.ComponentModel.Win32Exception]: {"An unknown error occurred while processing the certificate"}
This occurs in this code of PushSharp (I didn't comment the line out):
try
{
stream.AuthenticateAsClient(this.appleSettings.Host, this.certificates, System.Security.Authentication.SslProtocols.Ssl3, false);
//stream.AuthenticateAsClient(this.appleSettings.Host);
}
catch (System.Security.Authentication.AuthenticationException ex)
{
throw new ConnectionFailureException("SSL Stream Failed to Authenticate as Client", ex);
}
Here is the code from my test project:
public static void SendPingToApple()
{
try
{
var devicetoken = "mytoken";
var appleCert = File.ReadAllBytes(AssemblyPathName + #"\Resources\DistPrivKey1.p12");
var push = new PushBroker();
push.RegisterAppleService(new ApplePushChannelSettings(IsProduction, appleCert, "password"));
push.QueueNotification(new AppleNotification()
.ForDeviceToken(devicetoken.ToUpper())
.WithAlert("Test Notification"));
push.StopAllServices();
}
catch (Exception ex)
{
throw;
}
}
Convert your ssl certificates to pem format using following commands
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem
Then run following command to ensure that there is no issue with your certificate or network connection.
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert
YourSSLCertAndPrivateKey.pem -debug -showcerts -CAfile "Entrust.net
Certification Authority (2048).pem"
You should download Entrust certificate and convert it to pem as APNS certificates are signed by Entrust.
Related
I use an OData service with an C# ASP.NET Core 3.1 service inside a docker container from SAP with a customer self-signed certificate.
In the meantime I have tried a thousand things, but the error persists.
System.InvalidOperationException: An error occurred while processing
this request. mdt2oowvsap_1 | --->
System.Data.Services.Client.DataServiceTransportException: The SSL
connection could not be established, see inner exception. The remote
certificate is invalid according to the validation procedure.
Even the unsafe solutions like using HttpClientHandler.ServerCertificateCustomValidationCallback with direct return true did not change anything.
public MyService()
{
:
handler = new HttpClientHandler()
{
Credentials = new NetworkCredential(Username, Password, Domain),
PreAuthenticate = true,
ServerCertificateCustomValidationCallback = (message, cert, chain, sslPolicyErrors) =>
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
logger.LogDebug($"No SSL policy errors!");
return true; //Is valid
}
logger.LogDebug($"Get certificate hash: {cert.GetCertHashString()}");
// From: https://stackoverflow.com/questions/2675133/c-sharp-ignore-certificate-errors
if (!String.IsNullOrEmpty(certificateHash) && cert.GetCertHashString().Equals(certificateHash))
{
// Get hash string via: openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
// see: https://stackoverflow.com/questions/5164804/get-certificate-fingerprint-of-https-server-from-command-line
logger.LogDebug($"Using certificate hash: {certificateHash}");
return true;
}
return false;
},
UseCookies = true,
CookieContainer = cookieContainer
};
String[] files = Directory.GetFiles("./certs/", "*.*", SearchOption.TopDirectoryOnly);
logger.LogInformation($"Found {files.Length} certificate files");
// see: https://stackoverflow.com/questions/40014047/add-client-certificate-to-net-core-httpclient
foreach (string cfile in files)
{
try
{
logger.LogDebug($"Try adding {cfile} as trusted client certificate...");
handler.ClientCertificates.Add(new X509Certificate2(Path.GetFullPath(cfile)));
}catch(Exception e)
{
logger.LogInformation($"Exception while adding certificate file {cfile} to 'ClientCertificates'");
logger.LogError(e.ToString());
}
}
httpClient = new HttpClient(handler);
:
}
The last attempt was to download the certificate and give it to the HttpClientHandler using ClientCertificates.Add. Without success.
Using curl, passing this certificate file works.
$> curl --location --request GET 'https://customer.de:1234/sap/opu/odata/something/useful_srv' \
--header 'Authorization: Basic ABCDEFGHIJKLMNOPQRST='
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
:
$> echo -n | openssl s_client -connect customer.de:1234 -servername customer.de | \
openssl x509 > /full/path/to/customer.cert
depth=0 CN = customer.de
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = customer.de
verify return:1
DONE
$>
$> curl --location --cacert '/full/path/to/customer.cert' --request GET \
'https://customer.de:1234/sap/opu/odata/something/useful_srv' \
--header 'Authorization: Basic ABCDEFGHIJKLMNOPQRST='
<?xml version="1.0" encoding="utf-8"?><app:service xml:lang="de" xml:base="https:blablabla.../></app:service>
$> _
Does anyone have another idea?
Solutions viewed (incomplete):
c-sharp-ignore-certificate-errors
add-client-certificate-to-net-core-httpclient
allowing-untrusted-ssl-certificates-with-httpclient
how-do-i-add-a-ca-root-certificate-inside-a-docker-image
the-ssl-connection-could-not-be-established
c-sharp-core-3-1-getting-error-message-the-ssl-connection-could-not-be-establ
the-ssl-connection-could-not-be-established-between-webapp-and-webapi-asp-core
how-to-fix-the-ssl-connection-could-not-be-established-see-inner-exception-w
Thanks in advance.
The solution to the problem was to make the "self-signed" certificate available to the Docker container or the operating system it contains (Ubuntu) and provide it with
cp certs/customer.cert /usr/local/share/ca-certificates/customer.crt &&
update-ca-certificates
Now the communication works over SSL.
I would like to add to Buckaroo Banzai's answer that for others running .NET applications in a docker container, the package update-ca-certificates might not even be installed by default.
Get shell access by executing this command:
sudo docker exec -it containerName /bin/bash
And execute this to update package lists, install and run update-ca-certificates:
apt update && \
apt install -y ca-certificates && \
update-ca-certificates
Now i can communicate with my(and others) web api again from my .NET application running inside the container.
To make this permanent you should add this snippet to your dockerfile for the image used before the ENTRYPOINT.
RUN \
apt update && \
apt install -y ca-certificates && \
update-ca-certificates
Find a great explanation to why this issue occurs and get a better understanding of how Certificate Authority works here:
What is CA certificate, and why do we need it?
question: with minio sdk,I have error:
MinIO API responded with message=Connection error: The SSL connection could not be established, see inner exception.. Status code=0, response=The SSL connection could not be established, see inner exception., content=
my Answer:
I registed self-signed certificate:
Import-Certificate -FilePath “public.crt” -CertStoreLocation 'Cert:\LocalMachine\Root'
system echo:
PSParentPath:Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint Subject
E021FFABABAF32318D31BB18867F3BFAB788FFC0 OU=BETVSYS\andy#andy-tp (andy), O=Certgen Development
so problem resolved. don't change any code.
ref link:
1 https://github.com/minio/certgen
2 https://github.com/minio/minio-go/issues/1000#issuecomment-550262204
I wanted to use a self signed certificate to can use gRPC dotnet, but I get this error when I call the service from my client: An HTTP/2 connection could not be established because the server did not complete the HTTP/2 handshake.
I have created the pfx certificate with this script:
#echo off
set path="C:\Program Files\OpenSSL-Win64\bin"
#set OPENSSL_CONF=D:\programas\OpenSSL-Win64\OpenSSL-Win64\bin\openssl.cfg
#CA
echo Generate CA key:
openssl genrsa -passout pass:1111 -des3 -out ca.key 4096
echo Generate CA certificate:
openssl req -passin pass:1111 -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/C=US/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=MyRootCA"
#SERVER
echo Generate server key:
openssl genrsa -passout pass:1111 -des3 -out server.key 4096
echo Generate server signing request:
openssl req -passin pass:1111 -new -key server.key -out server.csr -subj "/C=US/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=%COMPUTERNAME%"
echo Self-sign server certificate:
openssl x509 -req -passin pass:1111 -days 36500 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
#Se crea el certificado pfx
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt
echo Remove passphrase from server key:
#openssl rsa -passin pass:1111 -in server.key -out server.key
#CLIENT
echo Generate client key
openssl genrsa -passout pass:1111 -des3 -out client.key 4096
echo Generate client signing request:
openssl req -passin pass:1111 -new -key client.key -out client.csr -subj "/C=US/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=%CLIENT-COMPUTERNAME%"
echo Self-sign client certificate:
openssl x509 -passin pass:1111 -req -days 36500 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
#Se crea el certificado pfx
openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt
echo Remove passphrase from client key:
#openssl rsa -passin pass:1111 -in client.key -out client.key
pause
In my service, I use this code:
webBuilder.ConfigureKestrel(options =>
{
options.Listen(IPAddress.Any, 5001, listenOptions =>
{
listenOptions.Protocols = HttpProtocols.Http2;
listenOptions.UseHttps("server.pfx", "1111");
//listenOptions.UseHttps("<path to .pfx file>", "<certificate password>");
});
});
webBuilder.UseStartup<Startup>();
webBuilder.UseStartup<Startup>();
});
In my client I have this code:
X509Certificate2 miCertificado = new X509Certificate2("client.pfx", "1111");
HttpClientHandler miHandler = new HttpClientHandler();
miHandler.ClientCertificates.Add(miCertificado);
HttpClient miHttpClient = new HttpClient(miHandler);
GrpcChannelOptions misOpciones = new GrpcChannelOptions() { HttpClient = miHttpClient };
var miChannel = GrpcChannel.ForAddress("http://1.1.1.2:5001");
var miClient = MagicOnionClient.Create<IInterface>(miChannel);
ComponentesDto miDataResultado = await miClient.GetDataAsync();
I don't see how it could be the problem. What am I doing wrong?
Thanks.
This question is almost one and half year, and since that, I have done many tries until I could solve my problem.
I don't remember the exact way how I solved the problem, but I will modify this answer if it is needed according to the comments.
My solution is using .NET 6, that is the last stable verstion actually, but I guess that some parts could be work with .NET 5, but keep in mind that this solution is using .NET 6.
One important part in the handshake is the creation of the certificate, and more when it is self signed certificate. My solution works with .crt files instead of the pfx files that I tried to use in my original question.
About the server certificate, one important thing is that it has to have in the SAN the IP of the server, or the URL of the server. You can set both. If you open your .crt file with the notepad for example, you will see something like that:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
44:C4:BD:F
X509v3 Authority Key Identifier:
keyid:0F:58:2
DirName:/CN=gRPC-CA
serial:22:A3
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
IP Address:192.168.1.100
Signature Algorithm: sha512WithRSAEncryption
In the last 3 lines, you can see that I have in the SAN (Subject Alternative Name), the IP of the server.
To create the certificates, I used easy rsa 3, that it is a tool that make easier to generate self signed certificates. You can find the tool here: https://github.com/OpenVPN/easy-rsa and you can download the binaries in the release section: https://github.com/OpenVPN/easy-rsa/releases.
The general steps are:
1.- copy the file vars.example in the same folder and call it "vars" (with no exetnsion).
2.- Edit the vars file with the information that you need.
3.- Run EasyRSA-Start.bat to start the shell of easy rsa.
4.- Run easyrsa init-pki to init the evironment. IMPORTANT: only do once, because if not you will delete all the certificates that you could have.
5.- Run easyrsa build-ca to create the CA certificate.
6.- Run easyrsa build-server-full 192.168.1.2 nopass to create the certificate for the server. IMPORTANT: change the IP for the IP of your server.
7.- Run easyrsa build-client-full Cliente01 nopass to create the certificate for the client. IMPORTANT: change the name Cliente01 to the name of your certificate. The name you put here, it will be the common name of the certificate.
All the certificates are created in the subfolder PKI.
I am hosting my service in a ASP application. Using minimal API, in the program.cs file of the ASP project I have to create a X509 certificate in this way:
builder.WebHost.ConfigureKestrel((context, options) =>
{
string miStrCertificado = File.ReadAllText("certificados/server.crt");
string miStrKey = File.ReadAllText("certificados/server.key");
X509Certificate2 miCertficadoX509 = X509Certificate2.CreateFromPem(miStrCertificado, miStrKey);
//it is needed to create a second certificate because if not, you will get an error.
//Here you can find information about the issue: https://github.com/dotnet/runtime/issues/74093
X509Certificate2 miCertificado2 = new X509Certificate2(miCertficadoX509.Export(X509ContentType.Pkcs12));
//For security, delete the first certificate.
miCertficadoX509.Dispose();
options.ListenAnyIP(5001, listenOptions =>
{
listenOptions.Protocols = HttpProtocols.Http1AndHttp2;
listenOptions.UseHttps(miCertificado2);
});
});
And this is the client of grpc:
public async Task<List<FacturasDTO>> MymethodAsync()
{
try
{
//Con certificados
string miStrCertificado = System.IO.File.ReadAllText(#"Certificados\Client.crt");
string miStrClave = System.IO.File.ReadAllText(#"Certificados\Client.key");
string miStrCA = System.IO.File.ReadAllText(#"Certificados\ca.crt");
X509Certificate2 cert = X509Certificate2.CreateFromPem(miStrCertificado, miStrClave);
HttpClientHandler miHttpHandler = new HttpClientHandler();
miHttpHandler.ClientCertificates.Add(cert);
miHttpHandler.ClientCertificateOptions = ClientCertificateOption.Manual;
miHttpHandler.ServerCertificateCustomValidationCallback = ServerCertificateCustomValidation;
HttpClient httpClient = new(miHttpHandler);
GrpcChannel channel = GrpcChannel.ForAddress("https://20.30.40.50:5001", new GrpcChannelOptions
{
HttpClient = httpClient
});
var client = channel.CreateGrpcService<IFacturasService>();
var reply = await client.GetFacturasDTOAsync();
return reply.Facturas;
}
catch (RpcException ex)
{
throw;
}
catch (Exception ex)
{
throw;
}
}
/// <summary>
/// This method has to implement the logic that ensure that server certificate is a trust certificate.
/// This is needed because the server certificate is a self signed certificate.
/// </summary>
/// <param name="requestMessage"></param>
/// <param name="paramCertificadoServidor"></param>
/// <param name="chain"></param>
/// <param name="sslErrors"></param>
/// <returns></returns>
private static bool ServerCertificateCustomValidation(HttpRequestMessage requestMessage, X509Certificate2 paramCertificadoServidor, X509Chain chain, SslPolicyErrors sslErrors)
{
return true;
//GetCerHasString devuelve la huella
//if (paramCertificadoServidor.GetCertHashString() == "xxxxxxxxxxxxxxxx")
//{
// return true;
//}
//else
//{
// return sslErrors == SslPolicyErrors.None;
//}
//// It is possible inpect the certificate provided by server
//Console.WriteLine($"Requested URI: {requestMessage.RequestUri}");
//Console.WriteLine($"Effective date: {certificate.GetEffectiveDateString()}");
//Console.WriteLine($"Exp date: {certificate.GetExpirationDateString()}");
//Console.WriteLine($"Issuer: {certificate.Issuer}");
//Console.WriteLine($"Subject: {certificate.Subject}");
//// Based on the custom logic it is possible to decide whether the client considers certificate valid or not
//Console.WriteLine($"Errors: {sslErrors}");
//return sslErrors == SslPolicyErrors.None;
}
Note that the method ServerCertificateCustomValidation() in the client always return true, it is for testing, but you should to implement the logic to ensure the certificate of the server is a trust certificate. I leave some comment code as example how could it be checked, but it is not tested, so I can't ensure it works or if it is the correct way to do. It is just to have some ideas.
I hope this could solve the problem. If not, leave any comment and I will update the solution.
I want to implement a simple HTTP Server / Listener in C# which supports HTTPs with a self signed certificate.
Prerequisites
.NET Framework 4.6.1
Console Application
I am using EmbedIO for the Web Server. I've also tried CeenHttpd and Microsofts HttpListener class.
Creating the private / public key
To create a private / public key which I want to use for my X509 certificate, I run the following command in my machine's Linux Subsystem (Ubuntu):
openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout test.key -out test.cert
To convert (or pack it?) into a pfx-File, I run the following command:
openssl pkcs12 -export -out test.pfx -inkey test.key -in test.cert
Application
This is my Console application's code:
using EmbedIO;
using EmbedIO.Actions;
using EmbedIO.Files;
using System;
using System.IO;
using System.Reflection;
using System.Security.Cryptography.X509Certificates;
namespace EmbedIoTest
{
class Program
{
public static DirectoryInfo GetExecutingDirectory()
{
var location = new Uri(Assembly.GetEntryAssembly().GetName().CodeBase);
return new FileInfo(location.AbsolutePath).Directory;
}
private static WebServer CreateWebServer(string url, int port)
{
var certificate = new X509Certificate2(#"XXX\test.pfx");
var exePath = GetExecutingDirectory();
var server = new WebServer(o => o
.WithMode(HttpListenerMode.EmbedIO)
.WithCertificate(certificate)
.WithAutoRegisterCertificate()
.WithUrlPrefix("https://*:" + port))
// First, we will configure our web server by adding Modules.
.WithStaticFolder("/", exePath.ToString(), true, m =>
{
m.WithDirectoryLister(DirectoryLister.Html).WithoutDefaultDocument().WithContentCaching(false);
})
.WithModule(new ActionModule("/", HttpVerbs.Any, ctx => ctx.SendDataAsync(new { Message = "Error" }))); ;
return server;
}
static void Main(string[] args)
{
var url = "127.0.0.1";
var port = 8080;
if (args.Length > 0)
url = args[0];
using (var server = CreateWebServer(url, port))
{
server.RunAsync();
Console.ReadKey(true);
}
}
}
}
When I run the server as a normal user, I get an error that I need to run the application as administrator to import the certificate.
If I run it as administrator, I get the error:
SSL Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.
If I remove the line "WithAutoRegisterCertificate()" from the WebServer instance, the console applications starts. But when I call the endpoint via CURL or Postman, I get no response.
Postman outputs:
Error: Client network socket disconnected before secure TLS connection was established
Curl outputs:
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:8080
Solution
What I need is a simple HTTP Server which supports HTTPS. That's all. But it should run independend of IIS / Apache / nginx etc. Is there a simple way to implement this?
I'm trying to write a simple https mitm proxy, and the problem arises when I handle the request:
public async Task Run(NetworkStream client, NetworkStream host) {
try {
//getting the cert
var certificate = new X509Certificate(#"[PATH_TO_CERT]", "[PASSWORD]");
//creating client's Ssl Stream
var clientStream = new SslStream(client, false);
//there the program freezes
clientStream.AuthenticateAsServer(certificate, false, SslProtocols.Default, false);
//creating server's Ssl Stream
var serverSslStream = new SslStream(host, false, SslValidationCallback, null);
serverSslStream.AuthenticateAsClient("[HOSTNAME]");
//...
} catch (Exception ex) {
Console.WriteLine(ex.Message);
throw;
}
}
After the request from client is sent, the program freezes at this line
clientStream.AuthenticateAsServer(certificate, false, SslProtocols.Default, false);
and it doesn't throw any exceptions. At first I thought that the problem is in the client's stream, so I tried to pass it's TcpClient as a method parameter, but nothing changed.
My self-signed certificate and .pfx file has been created like that:
makecert -n CN=*.[HOSTNAME].com -ic MyCA.cer -iv MyCA.pvk -a sha1 -sky exchange -pe -sr currentuser -ss my SslServer.cer
makecert.exe -pe -n "CN=*.[HOSTNAME].com" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sv server.pvk server.cer
pvk2pfx -pvk MyCA.pvk -pi [PASSWORD] -spc MyCA.cer -pfx MyPFX.pfx -f
So I thought the problem is in this line
var certificate = new X509Certificate(#"[path to the cert]", "[password]");
I replaced the cer path to the pfx path and I even downloaded the original crt file new X509Certificate(#"[path to the original cert]");, but none of this worked.
I don't know where the problem is, I tried different clients, the result is the same.
My Visual Studio version is 15.7.27703.2018 and .Net is 4.7.1.
Any tips, suggestions or links that could help me?
Turned out that i needed to use it with await.
The final code looks like this:
//getting the cert
var certificate = new X509Certificate2(#"[PATH_TO_CERT]", "[PASSWORD]");
//creating client's Ssl Stream
var clientStream = new SslStream(client, false);
await clientStream.AuthenticateAsServerAsync(certificate, false, SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Ssl3, false);
I want to use the Windows Azure Management API to scale my webservice programmatically. First I try to get my Management Certificate.
I created a new self signed cert using the makecert.exe. Its described here.
makecert -sky exchange -r -n "CN=<CertificateName>" -pe -a sha1 -len 2048 -ss My "<CertificateName>.cer"
Then I uploaded my cert to my azure subscription (this way).
I really see my uploaded certificate in the new and in the previous admin portal.
Now I add the following code to my webservice
private X509Certificate2 GetX509Certificate2()
{
// The thumbprint value of the management certificate.
// You must replace the string with the thumbprint of a
// management certificate associated with your subscription.
string certThumbprint = "mythumprint...";
// Create a reference to the My certificate store.
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
// Try to open the store.
try
{
certStore.Open(OpenFlags.ReadOnly);
}
catch (Exception e)
{
if (e is CryptographicException)
{
Console.WriteLine("Error: The store is unreadable.");
debugTable.persist("Error: The store is unreadable.");
}
else if (e is SecurityException)
{
Console.WriteLine("Error: You don't have the required permission.");
debugTable.persist("Error: You don't have the required permission.");
}
else if (e is ArgumentException)
{
Console.WriteLine("Error: Invalid values in the store.");
debugTable.persist("Error: Invalid values in the store.");
}
else
{
debugTable.persist("Something got wrong with certificate");
return null;
}
}
// Find the certificate that matches the thumbprint.
X509Certificate2Collection certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, certThumbprint, false);
certStore.Close();
// Check to see if our certificate was added to the collection. If no, throw an error, if yes, create a certificate using it.
if (0 == certCollection.Count)
{
Console.WriteLine("Error: No certificate found containing thumbprint " + certThumbprint);
debugTable.persist("Error: No certificate found containing thumbprint " + certThumbprint);
return null;
}
debugTable.persist("found cert");
// Create an X509Certificate2 object using our matching certificate.
X509Certificate2 certificate = certCollection[0];
return certificate;
}
The debugtable.persists() method writes the debug message into a table storage.
At the end I only find these entries in my table:
"Error: No certificate found containing thumbprint " + certThumbprint
So whats wrong with my code?
So you uploaded your certificate in the portal. This means the certificate can be used to authenticate to the Service Management API.
Now if you want to use this certificate from within a WCF Service / Web Service which is hosted in a Web/Worker Role you'll also need to upload that certificate in the Cloud Service:
Then you'll need to open the settings of your Web/Worker Role and add a new certificate here by specifying the Location, the Store Name and the Thumbprint:
If you redeploy the appliction the certificate will be available and your WCF Service will be able to use it (if the service has sufficient permissions to access it).