I'm integrating my app with Xero which requires two certificates. I uploaded them to Azure with help from this article, but I'm still unable to connect to the Xero API. I'm hoping someone has experience integrating a Xero Partner Application with an Azure Web App.

I've uploaded two pfx files; one is a self-signed certificate and the other is the partner certificate issued by Xero. The latter pfx file contains two certificates; an Entrust Commercial Private Sub CA1 (whatever than means) and a unique Entrust Id certificate for my app.

I'm using the following code to load the certificates by their unique thumbprint:

    static X509Certificate2 GetCertificateFromStore(string thumbprint)
    {
        var store = new X509Store(StoreLocation.CurrentUser);

        try
        {
            thumbprint = Regex.Replace(thumbprint, @"[^\da-zA-z]", string.Empty).ToUpper();
            store.Open(OpenFlags.ReadOnly);

            var certCollection = store.Certificates;
            var currentCerts = certCollection.Find(X509FindType.FindByTimeValid, DateTime.Now, false);
            var signingCert = currentCerts.Find(X509FindType.FindByThumbprint, thumbprint, false);

            if (signingCert.Count == 0)
            {
                throw new Exception($"Could not find Xero SSL certificate. cert_name={thumbprint}");
            }

            return signingCert[0];
        }
        finally
        {
            store.Close();
        }
    }

This works fine locally, but on my azure web site I get a 403.7 error:

The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.

I've also looked at the following references to try and resolve the issue:

• Xero Partner SSL configuration in Azure (Uses a cloud service and not a web app, so I couldn't follow the steps at the end)
• 403 Forbidden when loading X509Certificate2 from a file (Thread posted on the Xero forums about the same issue, figured out that the resolution is only for once again; cloud services)
• Xero partner connections and Azure Websites (Posted solution suggests using a VM)

What I haven't tried yet:

• Converting my web app to a cloud service; trying to avoid doing this however I'm not sure what steps are involved.
• Using a VM; I haven't found any detailed steps on how to do this but seems like a better option than above.

Screenshot of the error:

Finally got this working and I will post my solution which will hopefully save developers a lot of time and frustration when connecting with Xero.

The Xero Partner Application will not work with Azure App Services (Web Sites). You have to upload two additional certificates along with your self-signed and the Xero partner certificate. These can be found on your local machine and can be exported in cer format (details of these certificates below). Not being able to upload these certificates for Azure app services is indeed the crutch. They also have to be uploaded to specific stores (Root/CA), which you cannot do with app services. These are the steps I took to connect with Xero.

1. Converted my web site to Azure Cloud Services: I was weary of changing our environment as we already have a live site. It turns out that cloud services is essentially the same as app services; you still are deploying to a VM somewhere. However, you have more control over the back end and you can remote desktop in. Read more here. Used links below to create and convert my website to cloud services:

   • Create a new cloud service project
   • Convert existing web site to cloud service

2. Uploaded 4 certificates to my cloud project using the azure portal. You will need to upload the following:

   • Your self-signed certificate (the one you created here)
   • The partner certificate issued by Xero (you probably got it here)
   • The Intermediate Entrust certificate (this one should be contained within the .p12 file you downloaded above)
   • The Entrust Root certificate (this should be in your Trusted Root Store**)

3. Added the certificates to my Web Role in the Cloud project. You have to right click on the properties of your web role and go to the certificates tab. Add all 4 certificates to your web role using the thumbprint which will be visible in the portal after you uploaded them. Take note of the Store Name for the two entrust certs:

You may have to adopt a lot of patience as I have to get through step one. You'll have to figure out the new deployment process, how to debug your project locally, and probably a lot of other frustrating tidbits!

**This is the correct Entrust Root certificate you can get by using certmgr.msc:

A 403 error means we are not seeing the Xero Entrust certificate in the connection. More details about it here - http://blog.xero.com/developer/api-overview/http-response-codes/#403

Basically , It runs on your local IIS instance because it is a "single tenant" machine where your application doesn't need to be isolated from others.

While you application is blocked by the security model used to isolate web sites.

In summary, you have to do the following to get your certificates working on Azure:

1) Export the certificate, private key, and all intermediary certificates into a PFX file.

2) Upload the certificate using the Azure portal to the cloud service that you're running (it should appear as multiple entries).

3) Access the certificate through the machine store in code.

Based on data taken from: https://community.xero.com/developer/discussion/626401

https://social.msdn.microsoft.com/Forums/azure/en-US/29b30f25-eea9-4e8e-8292-5ac8085fd42e/access-to-certificates-in-azure-web-sites

I hope it solved your issue.

Finally got this working and I will post my solution which will hopefully save developers a lot of time and frustration when connecting with Xero.

The Xero Partner Application will not work with Azure App Services (Web Sites). You have to upload two additional certificates along with your self-signed and the Xero partner certificate. These can be found on your local machine and can be exported in cer format (details of these certificates below). Not being able to upload these certificates for Azure app services is indeed the crutch. They also have to be uploaded to specific stores (Root/CA), which you cannot do with app services. These are the steps I took to connect with Xero.

1. Converted my web site to Azure Cloud Services: I was weary of changing our environment as we already have a live site. It turns out that cloud services is essentially the same as app services; you still are deploying to a VM somewhere. However, you have more control over the back end and you can remote desktop in. Read more here. Used links below to create and convert my website to cloud services:

   • Create a new cloud service project
   • Convert existing web site to cloud service

2. Uploaded 4 certificates to my cloud project using the azure portal. You will need to upload the following:

   • Your self-signed certificate (the one you created here)
   • The partner certificate issued by Xero (you probably got it here)
   • The Intermediate Entrust certificate (this one should be contained within the .p12 file you downloaded above)
   • The Entrust Root certificate (this should be in your Trusted Root Store**)

3. Added the certificates to my Web Role in the Cloud project. You have to right click on the properties of your web role and go to the certificates tab. Add all 4 certificates to your web role using the thumbprint which will be visible in the portal after you uploaded them. Take note of the Store Name for the two entrust certs:

You may have to adopt a lot of patience as I have to get through step one. You'll have to figure out the new deployment process, how to debug your project locally, and probably a lot of other frustrating tidbits!

**This is the correct Entrust Root certificate you can get by using certmgr.msc:

Make sure you added the application setting from step 2 of your referenced article.

Adding an app setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. You can have multiple comma-separated thumbprint values or can set this value to “ * “ (without quotes) in which case all your certificates will be loaded to your web applications personal certificate store.

I'd also be more specific in specifying the certificate store, i.e. use:

var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

This is how we load certs in all of our Azure Web Apps.