Open Closed

System.Security.Cryptography.CryptographicException: Keyset does not exist issue when api deployed in Azure service #9584


User avatar
0
manas-patnaik_HON created

We have an api hosted in the Azure App service. When we are trying to browse the api, it is throwing System.Security.Cryptography.CryptographicException: Keyset does not exist issue . Below is the detailed about the error.

Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Hon.IFS.SiteHost.SiteHostHttpApiHostModule, Hon.IFS.SiteHost.HttpApi.Host, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist at Hon.IFS.SiteHost.SiteHostHttpApiHostModule.ConfigureServices(ServiceConfigurationContext context) in C:\ProjectName \HttpApiHostModule.cs:line 169 at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context) at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() --- End of inner exception stack trace --- at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action`1 optionsAction)

Below code has been written under ConfigureServices().

// Path to your .pfx file (e.g., placed in the root or wwwroot folder) string certPath = Path.Combine(hostingEnvironment.ContentRootPath, "certs", "openiddict.pfx"); string certPassword = "Admin@12345"; // Read from config/secret manager in prod

if (!File.Exists(certPath)) { throw new FileNotFoundException("Certificate file not found.", certPath); }

var cert = new X509Certificate2( certPath, certPassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable );

if (!cert.HasPrivateKey) { throw new InvalidOperationException("Certificate does not have a private key."); }

if (!cert.HasPrivateKey) throw new InvalidOperationException("Certificate does not have a private key.");

var rsa = cert.GetRSAPrivateKey(); if (rsa == null) throw new InvalidOperationException("Certificate private key is inaccessible.");

context.Services.AddOpenIddict() .AddServer(options => { options.SetTokenEndpointUris("/connect/token");

     // Use correct algorithm matching your certificate
     options.AddSigningCertificate(cert);

     options.AllowClientCredentialsFlow();
     options.RegisterScopes(OpenIddictConstants.Scopes.Email,
                            OpenIddictConstants.Scopes.Profile,
                            OpenIddictConstants.Scopes.Roles);
 });

2 Answer(s)
  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent

    To resolve the "System.Security.Cryptography.CryptographicException: Keyset does not exist" error when deploying an ABP-based API to Azure App Service, you need to ensure that the certificate is loaded in a way compatible with Azure's environment and permissions.

    Solution Steps:

    1. Upload the Certificate to Azure App Service:

      • In the Azure Portal, go to your App Service.
      • Navigate to "TLS/SSL settings" > "Private Key Certificates (.pfx)".
      • Upload your .pfx certificate here.
    2. Configure Azure to Load the Certificate:

      • Set the WEBSITE_LOAD_CERTIFICATES application setting to * (or the thumbprint of your certificate) in the App Service's "Configuration" > "Application settings".
    3. Load the Certificate from the Azure Certificate Store:

      • Instead of loading the certificate from a file, load it from the certificate store as shown below:
      using System.Security.Cryptography.X509Certificates;
      
      var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
      store.Open(OpenFlags.ReadOnly);
      var certs = store.Certificates
          .Find(X509FindType.FindByThumbprint, "<YOUR_CERT_THUMBPRINT>", false);
      
      if (certs.Count == 0)
          throw new Exception("Certificate not found in store.");
      
      var cert = certs[0];
      
      • Replace <YOUR_CERT_THUMBPRINT> with your certificate's thumbprint.
    4. Use the Certificate in OpenIddict:

      • Pass the loaded certificate to OpenIddict as you did before.
      options.AddSigningCertificate(cert);
      
    5. Important Notes:

      • Do not use X509KeyStorageFlags.MachineKeySet or file-based loading in Azure App Service, as the app may not have the required permissions.
      • Always ensure the certificate has a private key and is accessible by the App Service process.

    References:


    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Try to use X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet; as X509KeyStorageFlags

    And Try to set Load user profile to true.

Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.0.0-preview. Updated on September 01, 2025, 08:37