Question 105584 in Azure Question posted in
The official documentation to get you started can be found here.

Azure App Service unable to validate .pfx file: Certificate failed validation because it could not be loaded

For years I was able to upload new pfx files for SSL binding on Azure App Services using the OpenSSL creation method in this Stack Overflow answer:

openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt

However, doing the same now provides this error:

At least one certificate is not valid (Certificate failed validation because it could not be loaded.)

pfx error

What ways can this issue be resolved?

Tags:

3

Answers


  1. Chosen as BEST ANSWER
    0

    App Service private certificate requirements

    App Service private certificates must meet the following requirements:

    • Exported as a password-protected PFX file, encrypted using triple DES.
    • Contains private key at least 2048 bits long
    • Contains all intermediate certificates and the root certificate in the certificate chain.

    Option 1: Use legacy provider in OpenSSL 3+

    OpenSSL 3+ no longer uses DES encryption as a default. The original command needs the -legacy and -provider-path (path to legacy.dll) arguments appended:

    openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt -legacy -provider-path 'C:Program FilesOpenSSL-Win64bin'

    Option 2: Let Windows re-encrypt the file

    If for some reason your OpenSSL installation does not contain the legacy provider:

    Open PowerShell and run this command, replacing -FilePath with the path to your non-working pfx file, and the password -String argument with its respective password:

    Import-PfxCertificate -FilePath "pfx file path" -CertStoreLocation Cert:LocalMachineMy -Password (ConvertTo-SecureString -String 'MyPassword' -AsPlainText -Force) -Exportable

    A successful output will look like:

    export pfx result

    Use this thumbprint to export the cert to a new pfx file, replacing the -Cert, -FilePath, and password -String arguments:

    Export-PfxCertificate -Cert Microsoft.PowerShell.SecurityCertificate::LocalMachineMyB56CE9B122FB04E29A974A4D0DB3F6EAC2D150C0 -FilePath 'newPfxName.pfx' -Password (ConvertTo-SecureString -String 'MyPassword' -AsPlainText -Force)

    Azure should now be able to validate the new pfx file output.


  2. 0

    If the specific error is

    Error adding private key certificate. At least one certificate is not
    valid (Certificate failed validation because it could not be loaded)

    And if you are using the following script from OpenSSL to generate

    openssl pkcs12 -export -out forUploadToAzure.pfx -inkey privateKeyUsedToGenerateCRT.key -in certificateGenerated.crt

    And if this is the issue, then….

    OpenSSL 3 generates a longer certificate serial number when you run the pfx generation script. I would suggest downloading the OpenSSL 1 from the portal (https://slproweb.com/products/Win32OpenSSL.html) and this should help generate a shorter certificate serial number which Azure pfx import tool will accept

    Reference – https://learn.microsoft.com/en-us/answers/questions/192112/error-message-occurs-when-trying-to-upload-pfx-cer.html

    Login or Signup to reply.
  3. 0

    For me, the issue was simply solved by changing the password. My previous password had special characters, which then i changed to only alphabetic letters.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search