Certificate Problem (Security Related?!?)

I'm trying to enumerate certificates from Azure within a web role (running on the v1.3 Azure SDK Dev Fabric) but no certificates are returned when I use the following code. It's important to note, however, that code works fine when run from a console program:

private static void EnumCerts()
{
    var selectedCerts = new X509Certificate2Collection();

    var store = new X509Store(
        StoreName.My, StoreLocation.CurrentUser);

    try
    {
        store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);

        foreach (X509Certificate2 cert in store.Certificates)
            Console.WriteLine(cert.Subject);
    }
    finally
    {
 开发者_如何学编程       store.Close();
    }
}

My working assumption is that this is due to a security issue. My web role is running with Elevated Trust but I'm guessing that the IIS web instances are not.

In either case I have no idea how to solve the problem, so any help would be greatly appreciated...

Store the X509 certificate in the LocalMachine instead of CurrentUser. CurrentUser for an IIS process runs within the context of IIS-user who you likely have no access to. Also, you want to make sure that you've imported the certificate on the Azure side into certificate store properly by remoting-in and verifying.

You should remote (RDP) into the role and check the store(s). I honestly don't know where Azure portal uploads certs, but I thought it was CurrentUser (which I think IIS runs under as well).

You can also enumerate the certificates via the Service Management API, which may or may not work for your solution. http://msdn.microsoft.com/en-us/library/ee795178.aspx

I ended up solving the problem by embedding the certificate in my service code then reading it from the resource:

using System.IO;
using System.Reflection;
using System.Security.Cryptography.X509Certificates;

namespace AcsTest.Shared
{
    public static class CertHelper
    {
        public static X509Certificate2 GetCertFromManifest(
            Assembly assembly, string certName, string password)
        {
            byte[] bytes;

            using (var stream = assembly.
                GetManifestResourceStream(certName))
            {
                bytes = new BinaryReader(stream).
                    ReadBytes((int)stream.Length);
            }

            return new X509Certificate2(bytes, password,
                X509KeyStorageFlags.MachineKeySet);
        }
    }
}

The key insight was that I'd need to store a password in my service to load the cert from the certificate store so I was gaining no security advantage by keeping it in the store.