Avkash Chauhan's Blog

Windows Azure, Windows 8, Cloud Computing, Big Data and Hadoop: All together at one place.. One problem, One solution at One time...

Complete Solution: Adding SSL Certificate with Windows Azure Application

Complete Solution: Adding SSL Certificate with Windows Azure Application

Rate This
  • Comments 6

First of all you will need to get SSL certificate from a certificate authority (CA) for your domain i.e. www.yourcompanydomain.com. Please be sure that you are not going to request SSL certificate for cloudapp.net as this is not your domain, your service is hosted there. You will have to register your actual domain i.e. www.yourcompanydomain.com at a domain register service of your choice. After it, you will request SSL certificate for the same domain i.e. www.yourcompanydomain.com from a Certificate Authority of your choice.


I have categorized this process in 4 steps as below:

1.       Create CSR for your domain and getting SSL Certificates from your desired CA

2.       Installing SSL certificates in your development Machine

3.       Uploading SSL certificates on Windows Azure Portal for your Service and including in your HTTPS endpoint

4.       Setting up proper CNAME entry for your domain in DNS register


Step 1: Create CSR for your domain and getting SSL Certificates from your desired CA

You can use IIS7 (Either from Windows Server 2003/2008 or Window XP) to generate a certificate request for your domain and use the CA to get the SSL certificates from your CA. So far I know, IIS7x running on Windows 7 does not allows to generate CSR. To get the SSL certificate for your domain you will need to pass a CSR request to your CA and you can use IIS server to create CSR request.


  • For IIS server 7.x please use the following details:

http://www.digicert.com/csr-creation-microsoft-iis-7.htm


  • For IIS server 5.x and 6.x please use the following details:

http://www.networksolutions.com/support/csr-for-microsoft-iis-5-x-6-x/


Step 2: Installing SSL certificates in your development Machine

In most of the cases you will receive minimum 3 certificate from your CA or may be more:

1.        Domain Certificate

2.        Root Certificate

3.        Intermediate certificate

You will received these certificates either separate PFX files or chained into one PFX certificate file. I have seen most of the time, 1 PFX file has all the certificates in it. You will also need to download a few CER files from the CA as well. Once you have all the files please install all of these certificates (PFX and CER) in your development machine. Once you have installed all necessary certificates in your development machine you will be able to verify your domain correctly with proper root certificate and intermediate certificate. You will see your domain certificate and chained intermediate certificate, stored into your machine account personal storage however the root certificate will be stored in privilege root storage. This step will also help you to select and include all the necessary certificates in your Windows Azure Application configuration and setup HTTPS Endpoint.


Step 3: Uploading SSL certificates on Windows Azure Portal for your Service and including in your HTTPS endpoint

After you installed these certificate in your development machine, you will need to upload these SSL certificates (all) to certificates section inside your Service on Windows Azure Portal. You also needs to include all the certificates inside your Service Configuration file as described in following blog:

http://blogs.msdn.com/b/azuredevsupport/archive/2010/02/24/how-to-install-a-chained-ssl-certificate.aspx


Step 4: Setting up proper CNAME entry for your domain in DNS register

Finally, once you have the SSL certificate setup correctly in Windows Azure Portal and in your HTTPS Endpoint and Service Configuration file, you just need to add CNAME entry in your DNS service to route it correctly. To setup proper CNAME entry please follow:

http://blog.smarx.com/posts/custom-domain-names-in-windows-azure






 

Leave a Comment
  • Please add 5 and 4 and type the answer here:
  • Post
  • This blog has so many good information to learn. I really love reading it.  

  • Regarding your comment "So far I know, IIS7x running on Windows 7 does not allows to generate CSR.", my colleague Ricardo Villalobos found this technet article that documents the procedure: technet.microsoft.com/.../cc732906(WS.10).aspx.  

  • I found this article helpful as well (specifically for step 2): msdn.microsoft.com/.../wazplatformtrainingcourse_deployingapplicationsinwindowsazurevs2010_topic5

    It is an example using a self signed certificate but the same concepts apply.  My certificate came as a .CER file so it helped to know how to "export" to a PFX file.

  • In Step 1, don't you need to generate the CSR from the specific machine that will later have the cert installed? How do you do that in Azure?

  • @Jerry I was wondering if I could really generate a CSR on my development machine IIS instead of in Azure. Surprisingly, you can.

    Regarding step 2, after generating the CSR, I purchased an SSL Certificate from GoDaddy.  They gave me a .crt and a .p7b file.  Then I had to go back to IIS and choose "Complete Certificate Request".  It asked for a response file and I chose one of those (can't remember which).  That created the certificate locally, then I still had to export that to get the .PFX file that I could upload to Azure.

  • Looks like you can generate a certificate on your DEV machine then upload it into Azure. The PFX file that you upload to Azure contains the SSL Certificate plus the private RSA key of your DEV machine, so it can install and use it properly.

    There's a step-by-step guide at www.andrewdenhertog.com/.../creating-adding-ssl-certificates-azure that will take you through the whole thing

Page 1 of 1 (6 items)