We have an api hosted in the Azure App service. When we are trying to browse the api, it is throwing System.Security.Cryptography.CryptographicException: Keyset does not exist issue . Below is the detailed about the error.
Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Hon.IFS.SiteHost.SiteHostHttpApiHostModule, Hon.IFS.SiteHost.HttpApi.Host, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details.
---> System.Security.Cryptography.CryptographicException: Keyset does not exist
at Hon.IFS.SiteHost.SiteHostHttpApiHostModule.ConfigureServices(ServiceConfigurationContext context) in C:\ProjectName \HttpApiHostModule.cs:line 169
at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context)
at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
--- End of inner exception stack trace ---
at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action
1 optionsAction)
at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action`1 optionsAction)
Below code has been written under ConfigureServices().
// Path to your .pfx file (e.g., placed in the root or wwwroot folder) string certPath = Path.Combine(hostingEnvironment.ContentRootPath, "certs", "openiddict.pfx"); string certPassword = "Admin@12345"; // Read from config/secret manager in prod
if (!File.Exists(certPath)) { throw new FileNotFoundException("Certificate file not found.", certPath); }
var cert = new X509Certificate2( certPath, certPassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable );
if (!cert.HasPrivateKey) { throw new InvalidOperationException("Certificate does not have a private key."); }
if (!cert.HasPrivateKey) throw new InvalidOperationException("Certificate does not have a private key.");
var rsa = cert.GetRSAPrivateKey(); if (rsa == null) throw new InvalidOperationException("Certificate private key is inaccessible.");
context.Services.AddOpenIddict() .AddServer(options => { options.SetTokenEndpointUris("/connect/token");
// Use correct algorithm matching your certificate
options.AddSigningCertificate(cert);
options.AllowClientCredentialsFlow();
options.RegisterScopes(OpenIddictConstants.Scopes.Email,
OpenIddictConstants.Scopes.Profile,
OpenIddictConstants.Scopes.Roles);
});
2 Answer(s)
-
0
To resolve the "System.Security.Cryptography.CryptographicException: Keyset does not exist" error when deploying an ABP-based API to Azure App Service, you need to ensure that the certificate is loaded in a way compatible with Azure's environment and permissions.
Solution Steps:
Upload the Certificate to Azure App Service:
- In the Azure Portal, go to your App Service.
- Navigate to "TLS/SSL settings" > "Private Key Certificates (.pfx)".
- Upload your
.pfx
certificate here.
Configure Azure to Load the Certificate:
- Set the
WEBSITE_LOAD_CERTIFICATES
application setting to*
(or the thumbprint of your certificate) in the App Service's "Configuration" > "Application settings".
- Set the
Load the Certificate from the Azure Certificate Store:
- Instead of loading the certificate from a file, load it from the certificate store as shown below:
using System.Security.Cryptography.X509Certificates; var store = new X509Store(StoreName.My, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly); var certs = store.Certificates .Find(X509FindType.FindByThumbprint, "<YOUR_CERT_THUMBPRINT>", false); if (certs.Count == 0) throw new Exception("Certificate not found in store."); var cert = certs[0];
- Replace
<YOUR_CERT_THUMBPRINT>
with your certificate's thumbprint.
Use the Certificate in OpenIddict:
- Pass the loaded certificate to OpenIddict as you did before.
options.AddSigningCertificate(cert);
Important Notes:
- Do not use
X509KeyStorageFlags.MachineKeySet
or file-based loading in Azure App Service, as the app may not have the required permissions. - Always ensure the certificate has a private key and is accessible by the App Service process.
- Do not use
References:
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0