![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 99%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
Azure Database for MySQL
An Azure managed MySQL database service for app development and deployment.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 13%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPV%3C/text%3E%3C/svg%3E)
Hello Deepak Raj
Thank you for asking your question on the Microsoft Q&A portal. I'm happy to help you with this.
The error CryptographicException: Bad Key almost always points to an issue where the worker application is unable to access or use the private key of the required certificate to decrypt incoming data.
Based on the error stack trace and your description, the issue is likely with how the certificate is being loaded and accessed by your worker App Service. Please follow these steps to diagnose and resolve the problem.
- This is the most common cause of this issue. Azure App Service requires this specific application setting to make an uploaded certificate accessible to your application's code from the certificate store.
- In the Azure Portal, navigate to your Web App and your Worker App services. Under Settings -> Configuration -> Application settings, ensure you have a setting with the following:
- Name:
WEBSITE_LOAD_CERTIFICATES - Value: The thumbprint of the certificate you uploaded for the Split-Merge service. You can set the value to
*to load all certificates, but specifying the thumbprint is more secure and recommended. - Important: This setting must exist and be correct on both the UI Web App and the Backend Worker App.
- You are correct to check this, but certificates loaded via the
WEBSITE_LOAD_CERTIFICATESsetting are placed in theLocalMachinestore, notCurrentUser. -- Open the Kudu console for your worker App Service (
https://<your-app-name>.scm.azurewebsites.net/). - Select PowerShell from the Debug console menu.
- Run the following command to list certificates in the Local Machine store that are accessible to your app:powershell
Set-Location Cert:\LocalMachine\My - Verify that the certificate thumbprint listed in the output exactly matches the one you uploaded and configured in the app settings.
- Open the Kudu console for your worker App Service (
- Check Certificate Consistency: The same certificate, including its private key, must be used by both the UI application (for encryption) and the worker application (for decryption).
- Action: Confirm that the exact same
.pfxfile was uploaded to both the UI Web App and the Backend Worker App under Settings -> TLS/SSL settings -> Private Key Certificates (.pfx).
- Action: Confirm that the exact same
- When you export the certificate to a
.pfxfile, ensure you include the private key and all certificates in the certification path. Action: Re-export the certificate from your source and re-upload it to both App Services to rule out any corruption during the initial export/upload process.
You can review the official documentation for deploying the Split-Merge service (including certificate requirements and typical troubleshooting for “Bad Key” or certificate errors) at the following fully validated Microsoft Learn link:
It states: "If you receive the following error, it's most likely a problem with your Web endpoint's certificate. Try connecting to the Web endpoint with your favorite browser or REST tool. If you see SSL errors, the certificate is either not installed or there are thumbprint issues."
Additional Resources
- This official document provides detailed instructions on how to upload certificates and make them accessible to your application, which is directly relevant to your problem. https://free.blessedness.top/en-us/azure/app-service/configure-ssl-certificate-in-code
Let me know if the above works for you.
Please "Accept as Answer" if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.
Thanks
Pratyush