Creating Certificates for Bot Framework apps hosted on Service Fabric
09/27/2017
2 minutes
I decided to host a bot framework application over service fabric. Creating a regular Bot Framework app is relatively simple using the provided Visual Studio template and hosting in a free tier website service in Azure.
When using service fabric, even on a local test environment we will need to have a certificate for using external channels like Facebook, Skype or Cortana. This approach is also very useful if someone prefers to debug metadata on Facebook or Cortana messages, which is rather under-documented.
The certificate is needed for the https endpoint, in case an invalid (or expired) certificate the connection will not be established.
Once we have a domain name, we can use (as an example) Let's Encrypt to create the certificates for free. I used one of the suggested web tool: SSL For Free to generate the cert. The key step here is to use Chrome as the browser. At the time of the writing Edge generated invalid certificates. When the domain name is validated we will need to run the following command to generate a pfx file, so later we can install it into our cert store.
openssl pkcs12 -export -out "certificate_combined.pfx" -inkey "private_rsa.key" -in "certificate.crt" -certfile ca_bundle.crt
For local Service fabric environment, we need to place the certificate under CurrentUser\My and CurrentUser\TrustedPeople with Management Console.
The last bit is to set up service fabric to actually use this certificate and to open a secure connection. (I assume the required port will be open the firewall). To do this we need to open an https endpoint and define the thumbprint of the cert and also assign it with the secured endpoint. We can do this in the ApplicationManifest.xml.
<Certificates> <EndpointCertificate X509FindValue="f2 ... 32" Name="cert" /> </Certificates>
and
<ServiceManifestImport> <ServiceManifestRef ServiceManifestName="NameOfPkg" ServiceManifestVersion="1.0.0" /> <Policies> <EndpointBindingPolicy EndpointRef="ServiceEndpointHttps" CertificateRef="cert" /> </Policies> </ServiceManifestImport>