First of all you will need to get
SSL certificate from a certificate authority (CA) for your domain i.e. www.yourcompanydomain.com. Please
be sure that you are not going to request SSL certificate for cloudapp.net as
this is not your domain, your service is hosted there. You will have to
register your actual domain i.e. www.yourcompanydomain.com
at a domain register service of your choice. After it, you will request SSL
certificate for the same domain i.e. www.yourcompanydomain.com
from a Certificate Authority of your choice.
I have categorized this process
in 4 steps as below:
Create CSR for your
domain and getting SSL Certificates from your desired CA
Installing SSL certificates
in your development Machine
Uploading SSL certificates
on Windows Azure Portal for your Service and including in your HTTPS endpoint
Setting up proper
CNAME entry for your domain in DNS register
Step 1: Create CSR for your domain and getting SSL
Certificates from your desired CA
You can use IIS7 (Either from
Windows Server 2003/2008 or Window XP) to generate a certificate request for
your domain and use the CA to get the SSL certificates from your CA. So far I
know, IIS7x running on Windows 7 does not allows to generate CSR. To get the
SSL certificate for your domain you will need to pass a CSR request to your CA
and you can use IIS server to create CSR request.
Step 2: Installing SSL certificates in your development
In most of the cases you will
receive minimum 3 certificate from your CA or may be more:
You will received these
certificates either separate PFX files or chained into one PFX certificate file.
I have seen most of the time, 1 PFX file has all the certificates in it. You
will also need to download a few CER files from the CA as well. Once you have
all the files please install all of these certificates (PFX and CER) in your
development machine. Once you have installed all necessary certificates in your
development machine you will be able to verify your domain correctly with proper
root certificate and intermediate certificate. You will see your domain
certificate and chained intermediate certificate, stored into your machine account
personal storage however the root certificate will be stored in privilege root
storage. This step will also help you to select and include all the necessary certificates
in your Windows Azure Application configuration and setup HTTPS Endpoint.
Step 3: Uploading SSL certificates on Windows Azure
Portal for your Service and including in your HTTPS endpoint
After you installed these
certificate in your development machine, you will need to upload these SSL
certificates (all) to certificates section inside your Service on Windows Azure
Portal. You also needs to include all the certificates inside your Service
Configuration file as described in following blog:
Step 4: Setting up
proper CNAME entry for your domain in DNS register
Finally, once you
have the SSL certificate setup correctly in Windows Azure Portal and in your
HTTPS Endpoint and Service Configuration file, you just need to add CNAME entry
in your DNS service to route it correctly. To setup proper CNAME entry please
This blog has so many good information to learn. I really love reading it.
Regarding your comment "So far I know, IIS7x running on Windows 7 does not allows to generate CSR.", my colleague Ricardo Villalobos found this technet article that documents the procedure: technet.microsoft.com/.../cc732906(WS.10).aspx.
I found this article helpful as well (specifically for step 2): msdn.microsoft.com/.../wazplatformtrainingcourse_deployingapplicationsinwindowsazurevs2010_topic5
It is an example using a self signed certificate but the same concepts apply. My certificate came as a .CER file so it helped to know how to "export" to a PFX file.
In Step 1, don't you need to generate the CSR from the specific machine that will later have the cert installed? How do you do that in Azure?
@Jerry I was wondering if I could really generate a CSR on my development machine IIS instead of in Azure. Surprisingly, you can.
Regarding step 2, after generating the CSR, I purchased an SSL Certificate from GoDaddy. They gave me a .crt and a .p7b file. Then I had to go back to IIS and choose "Complete Certificate Request". It asked for a response file and I chose one of those (can't remember which). That created the certificate locally, then I still had to export that to get the .PFX file that I could upload to Azure.
Looks like you can generate a certificate on your DEV machine then upload it into Azure. The PFX file that you upload to Azure contains the SSL Certificate plus the private RSA key of your DEV machine, so it can install and use it properly.
There's a step-by-step guide at www.andrewdenhertog.com/.../creating-adding-ssl-certificates-azure that will take you through the whole thing