Merge pull request #94594 from cephalin/postignite

PMEds28 · web-flow · commit 9c329be0715d · 2019-11-04T16:21:35.000Z
add Linux support
diff --git a/articles/app-service/configure-ssl-certificate-in-code.md b/articles/app-service/configure-ssl-certificate-in-code.md
@@ -1,5 +1,5 @@
 ---
-title: Use SSL certificate in application code - Azure App Service | Microsoft Docs
+title: Use SSL certificate in code - Azure App Service | Microsoft Docs
 description: Learn how to use client certificates to connect to remote resources that require them.
 services: app-service
 documentationcenter: 
@@ -11,18 +11,18 @@ ms.service: app-service
 ms.workload: web
 ms.tgt_pltfrm: na
 ms.topic: article
-ms.date: 10/16/2019
+ms.date: 11/04/2019
 ms.author: cephalin
 ms.reviewer: yutlin
 ms.custom: seodec18
 
 ---
 
-# Use an SSL certificate in your application code in Azure App Service
+# Use an SSL certificate in your code in Azure App Service
 
-Your App Service app code may act as a client and access an external service that requires certificate authentication. This how-to guide shows how to use public or private certificates in your application code.
+In your application code, you can access the [public or private certificates you add to App Service](configure-ssl-certificate.md). Your app code may act as a client and access an external service that requires certificate authentication, or it may need to perform cryptographic tasks. This how-to guide shows how to use public or private certificates in your application code.
 
-This approach to using certificates in your code makes use of the SSL functionality in App Service, which requires your app to be in **Basic** tier or above. Alternatively, you can [include the certificate file in your app repository](#load-certificate-from-file), but it's not a recommended practice for private certificates.
+This approach to using certificates in your code makes use of the SSL functionality in App Service, which requires your app to be in **Basic** tier or above. If your app is in **Free** or **Shared** tier, you can [include the certificate file in your app repository](#load-certificate-from-file).
 
 When you let App Service manage your SSL certificates, you can maintain the certificates and your application code separately and safeguard your sensitive data.
 
@@ -43,25 +43,24 @@ Find the certificate you want to use and copy the thumbprint.
 
 ![Copy the certificate thumbprint](./media/configure-ssl-certificate/create-free-cert-finished.png)
 
-## Load the certificate
+## Make the certificate accessible
 
-To use a certificate in your app code, add its thumbprint to the `WEBSITE_LOAD_CERTIFICATES` app setting, by running the following command in the <a target="_blank" href="https://shell.azure.com" >Cloud Shell</a>:
+To access a certificate in your app code, add its thumbprint to the `WEBSITE_LOAD_CERTIFICATES` app setting, by running the following command in the <a target="_blank" href="https://shell.azure.com" >Cloud Shell</a>:
 
 ```azurecli-interactive
 az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_LOAD_CERTIFICATES=<comma-separated-certificate-thumbprints>
 ```
 
 To make all your certificates accessible, set the value to `*`.
 
-> [!NOTE]
-> This setting places the specified certificates in the [Current User\My](/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores) store for most pricing tiers, but in the **Isolated** tier (i.e. app runs in an [App Service Environment](environment/intro.md)), it places the certificates in the [Local Machine\My](/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores) store.
->
+## Load certificate in Windows apps
 
-The configured certificates are now ready to be used by your code.
+The `WEBSITE_LOAD_CERTIFICATES` app setting makes the specified certificates accessible to your Windows hosted app in the Windows certificate store, and the location depends on the [pricing tier](overview-hosting-plans.md):
 
-## Load the certificate in code
+- **Isolated** tier - in [Local Machine\My](/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores). 
+- All other tiers - in [Current User\My](/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores).
 
-Once your certificate is accessible, you access it in C# code by the certificate thumbprint. The following code loads a certificate with the thumbprint `E661583E8FABEF4C0BEF694CBC41C28FB81CD870`.
+In C# code, you access the certificate by the certificate thumbprint. The following code loads a certificate with the thumbprint `E661583E8FABEF4C0BEF694CBC41C28FB81CD870`.
 
 ```csharp
 using System;
@@ -86,31 +85,75 @@ certStore.Close();
 ...
 ```
 
-<a name="file"></a>
-## Load certificate from file
+In Java code, you access the certificate from the "Windows-MY" store using the Subject Common Name field (see [Public key certificate](https://en.wikipedia.org/wiki/Public_key_certificate)). The following code shows how to load a private key certificate:
 
-If you need to load a certificate file from your application directory, it's better to upload it using [FTPS](deploy-ftp.md) instead of [Git](deploy-local-git.md), for example. You should keep sensitive data like a private certificate out of source control.
+```java
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.bind.annotation.RequestMapping;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.PrivateKey;
 
-Even though you're loading the file directly in your .NET code, the library still verifies if the current user profile is loaded. To load the current user profile, set the `WEBSITE_LOAD_USER_PROFILE` app setting with the following command in the <a target="_blank" href="https://shell.azure.com" >Cloud Shell</a>.
+...
+KeyStore ks = KeyStore.getInstance("Windows-MY");
+ks.load(null, null); 
+Certificate cert = ks.getCertificate("<subject-cn>");
+PrivateKey privKey = (PrivateKey) ks.getKey("<subject-cn>", ("<password>").toCharArray());
 
-```azurecli-interactive
-az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_LOAD_USER_PROFILE=1
+// Use the certificate and key
+...
 ```
 
-Once this setting is set, the following C# example loads a certificate called `mycert.pfx` from the `certs` directory of your app's repository.
+For languages that don't support or offer insufficient support for the Windows certificate store, see [Load certificate from file](#load-certificate-from-file).
+
+## Load certificate in Linux apps
+
+The `WEBSITE_LOAD_CERTIFICATES` app settings makes the specified certificates accessible to your Linux hosted apps (including custom container apps) as files. The files are found under the following directories:
+
+- Private certificates - `/var/ssl/private` ( `.p12` files)
+- Public certificates - `/var/ssl/certs` ( `.der` files)
+
+The certificate file names are the certificate thumbprints. The following C# code shows how to load a public certificate in a Linux app.
 
 ```csharp
 using System;
 using System.Security.Cryptography.X509Certificates;
 
 ...
-// Replace the parameter with "~/<relative-path-to-cert-file>".
-string certPath = Server.MapPath("~/certs/mycert.pfx");
+var bytes = System.IO.File.ReadAllBytes("/var/ssl/certs/<thumbprint>.der");
+var cert = new X509Certificate2(bytes);
+
+// Use the loaded certificate
+```
+
+To see how to load an SSL certificate from a file in Node.js, PHP, Python, Java, or Ruby, see the documentation for the respective language or web platform.
+
+## Load certificate from file
+
+If you need to load a certificate file that you upload manually, it's better to upload the certificate using [FTPS](deploy-ftp.md) instead of [Git](deploy-local-git.md), for example. You should keep sensitive data like a private certificate out of source control.
+
+> [!NOTE]
+> ASP.NET and ASP.NET Core on Windows must access the certificate store even if you load a certificate from a file. To load a certificate file in a Windows .NET app, load the current user profile with the following command in the <a target="_blank" href="https://shell.azure.com" >Cloud Shell</a>:
+>
+> ```azurecli-interactive
+> az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_LOAD_USER_PROFILE=1
+> ```
+
+The following C# example loads a public certificate from a relative path in your app:
+
+```csharp
+using System;
+using System.Security.Cryptography.X509Certificates;
 
-X509Certificate2 cert = GetCertificate(certPath, signatureBlob.Thumbprint);
 ...
+var bytes = System.IO.File.ReadAllBytes("~/<relative-path-to-cert-file>");
+var cert = new X509Certificate2(bytes);
+
+// Use the loaded certificate
 ```
 
+To see how to load an SSL certificate from a file in Node.js, PHP, Python, Java, or Ruby, see the documentation for the respective language or web platform.
+
 ## More resources
 
 * [Secure a custom DNS name with an SSL binding](configure-ssl-bindings.md)
diff --git a/articles/app-service/configure-ssl-certificate.md b/articles/app-service/configure-ssl-certificate.md
@@ -60,6 +60,7 @@ To secure a custom domain in an SSL binding, the certificate has additional requ
 
 The free App Service Managed Certificate is a turn-key solution for securing your custom DNS name in App Service. It's a fully functional SSL certificate that's managed by App Service and renewed automatically. The free certificate comes with the following limitations:
 
+- Does not support wildcard certificates.
 - Does not support naked domains.
 - Is not exportable.
 
@@ -276,7 +277,7 @@ Click **Upload**.
 
 ![Upload public certificate in App Service](./media/configure-ssl-certificate/upload-public-cert.png)
 
-Once the certificate is uploaded, copy the certificate thumbprint and see [Make the certificate accessible](configure-ssl-certificate-in-code.md#load-the-certificate).
+Once the certificate is uploaded, copy the certificate thumbprint and see [Make the certificate accessible](configure-ssl-certificate-in-code.md#make-the-certificate-accessible).
 
 ## Manage App Service certificates
 
