Open Closed

System.Security.Cryptography.CryptographicException: Keyset does not exist issue when api deployed in Azure service #9584

User avatar
0
manas-patnaik_HON created

We have an api hosted in the Azure App service. When we are trying to browse the api, it is throwing System.Security.Cryptography.CryptographicException: Keyset does not exist issue . Below is the detailed about the error.

Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Hon.IFS.SiteHost.SiteHostHttpApiHostModule, Hon.IFS.SiteHost.HttpApi.Host, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist at Hon.IFS.SiteHost.SiteHostHttpApiHostModule.ConfigureServices(ServiceConfigurationContext context) in C:\ProjectName \HttpApiHostModule.cs:line 169 at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context) at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() --- End of inner exception stack trace --- at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action`1 optionsAction)

Below code has been written under ConfigureServices().

// Path to your .pfx file (e.g., placed in the root or wwwroot folder) string certPath = Path.Combine(hostingEnvironment.ContentRootPath, "certs", "openiddict.pfx"); string certPassword = "Admin@12345"; // Read from config/secret manager in prod

if (!File.Exists(certPath)) { throw new FileNotFoundException("Certificate file not found.", certPath); }

var cert = new X509Certificate2( certPath, certPassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable );

if (!cert.HasPrivateKey) { throw new InvalidOperationException("Certificate does not have a private key."); }

if (!cert.HasPrivateKey) throw new InvalidOperationException("Certificate does not have a private key.");

var rsa = cert.GetRSAPrivateKey(); if (rsa == null) throw new InvalidOperationException("Certificate private key is inaccessible.");

context.Services.AddOpenIddict() .AddServer(options => { options.SetTokenEndpointUris("/connect/token");

     // Use correct algorithm matching your certificate
     options.AddSigningCertificate(cert);

     options.AllowClientCredentialsFlow();
     options.RegisterScopes(OpenIddictConstants.Scopes.Email,
                            OpenIddictConstants.Scopes.Profile,
                            OpenIddictConstants.Scopes.Roles);
 });
Go to accepted answer
2 Answer(s)
  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent

    To resolve the "System.Security.Cryptography.CryptographicException: Keyset does not exist" error when deploying an ABP-based API to Azure App Service, you need to ensure that the certificate is loaded in a way compatible with Azure's environment and permissions.

    Solution Steps:

    1. Upload the Certificate to Azure App Service:

      • In the Azure Portal, go to your App Service.
      • Navigate to "TLS/SSL settings" > "Private Key Certificates (.pfx)".
      • Upload your .pfx certificate here.

    2. Configure Azure to Load the Certificate:

      • Set the WEBSITE_LOAD_CERTIFICATES application setting to * (or the thumbprint of your certificate) in the App Service's "Configuration" > "Application settings".

    3. Load the Certificate from the Azure Certificate Store:

      • Instead of loading the certificate from a file, load it from the certificate store as shown below:
      using System.Security.Cryptography.X509Certificates;

var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var certs = store.Certificates
    .Find(X509FindType.FindByThumbprint, "<YOUR_CERT_THUMBPRINT>", false);

if (certs.Count == 0)
    throw new Exception("Certificate not found in store.");

var cert = certs[0];
      • Replace <YOUR_CERT_THUMBPRINT> with your certificate's thumbprint.

    4. Use the Certificate in OpenIddict:

      • Pass the loaded certificate to OpenIddict as you did before.
      options.AddSigningCertificate(cert);

    5. Important Notes:

      • Do not use X509KeyStorageFlags.MachineKeySet or file-based loading in Azure App Service, as the app may not have the required permissions.
      • Always ensure the certificate has a private key and is accessible by the App Service process.

    References:

    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Try to use X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet; as X509KeyStorageFlags

    And Try to set Load user profile to true.

Assignee
User avatar maliming
Question details
Labels
None yet
Learn More, Pay Less
33% OFF
All Trainings!
Get Your Deal
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.0.0-preview. Updated on September 15, 2025, 14:41