Resolving “certificate for the given thumbprint could not be loaded” error with Azure Tools for Visual Studio

Recently I encountered a strange error when attempting some storage-related activities using Windows Azure Tools within Visual Studio 2012. When either adding a new storage account or changing Connection String settings I was met with:

The certificate for the given thumbprint could not be loaded from the Current User/Personal certificate store. Please install the certificate.

While I was able to resolve the error, I cannot reproduce it (and gave up trying), but if you face the same problem, hopefully this will help you.

Background

If Visual Studio was looking for a certificate, where was it looking? It turns out that the Windows Azure Tools for Visual Studio store some certificate related references in a file called Windows Azure Connections.xml in your personal settings area on Windows. This file is created on your behalf once you’ve created any Publish Profiles by Publishing Cloud Services to Windows Azure from Visual Studio.

The file lives here:

%UserProfile%\Documents\Visual Studio 2012\Settings\Windows Azure Connections.xml

On my Windows 8 development machine, this is:

C:\Users\billdev\My Documents\Visual Studio 2012\Settings\Windows Azure Connections.xml

The file contains the credentials you’d previously supplied during publishing and will look something like the following:

<?xml version=”1.0″?>
<NamedCredentials xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=”http://www.w3.org/2001/XMLSchema”>
<Items>
<NamedCredential>
    <SubscriptionId>12345678-abcd-ae10-abba-01812e1e1000</SubscriptionId>
<IsImported>false</IsImported>
<ServiceEndpoint>https://management.core.windows.net/</ServiceEndpoint>
<CertificateThumbprint>A123B123C12333EC954471ED75C37D59003681F7</CertificateThumbprint>
<Name>Page of Photos</Name>
</NamedCredential>
</Items>
<LastUsedName>Page of Photos</LastUsedName>
</NamedCredentials>

Note that the NamedCredential XML element item may be repeated.

Problem

The problem turns out to be that one of the certificates referenced (identified by thumbprint via CertificateThumbprint XML element) either it is not installed properly locally, or not installed in the associated Windows Azure Subscription (identified by SubscriptionId XML element).

Solution

For each certificate referenced by a CertificateThumbprint element (there could be more than one, unlike the simple example shown above):

  1. Make sure the certificate is installed in your Local Certificate store and contains a Private Key – which usually can be found in the Personal (or “My”) store name under the Current User certificates by using the Certificates Snap-in with Microsoft Management Console. (You can also use certmgr.exe or write your own code to dump certificate info). (If the certificate exists in your local certificate store then it is probably fine. It is not likely it is missing a Private Key. But it is possible.)
  2. Make sure the certificate has been uploaded to the Windows Azure Portal for the SubscriptionId  referenced within Windows Azure Connections.xml.

That’s it. Should work. Worst case you can delete each element of your Windows Azure Connections.xml profile and start over.

Specific Scenarios

These are the two specific scenarios where I saw the problem in case you are interested.

Scenario #1

This scenario failed whether or not a project was open.

  1. Open the Server Explorer window in Visual Studio
  2. Right-click on Windows Azure Storage, choose “Add New Storage Account…“, and the error dialog appears:
    “The certificate for the given thumbprint could not be loaded from the Current User/Personal certificate store. Please install the certificate.”
  3. This message is extra confusing since I don’t think there ought to be any certificates involved here. And no project/solution is open.

Scenario #2.

This scenario requires an open Azure project.

  1. Open the UI tool for editing Azure configuration by opening your Cloud Project in Solution Explorer, drilling into Roles, and double-clicking on a Web Role or Worker Role project. The Role configuration editor window opens in Visual Studio.
  2. Choose Settings, then Add Setting (which creates Setting1 of Type=String), change Setting1‘s Type to Connection String, and the click the “…” button at far right (to pop up the connection string edit window), and an error dialog appears:
    “The certificate for the given thumbprint could not be loaded from the Current User/Personal certificate store. Please install the certificate.”

Here are the screen shots for the two error dialogs (slightly different).

image

3 thoughts on “Resolving “certificate for the given thumbprint could not be loaded” error with Azure Tools for Visual Studio

  1. Luke Briner

    This happened when the publish dialog got confused and I had to re-sign in to Azure. It redownloaded the publish credentials but it seems that VS needs to be closed and reopened for it to find the certificate. Once I did that, it all worked again. Thanks for pointing me in the right direction.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s