[Update: With the November 2009 release of the Windows Azure Tools - this post is now obsolete - an updated post is available here]
Lately there has been a couple of threads on the forum and some internal email around setting up an https endpoint on a Windows Azure Cloud Service.
A good starting point is this article, but there are some common issues that people run into that I wanted to talk about.
First are the cert requirements.
When running on the Development Fabric, the certificate also needs to be self-signed – this is to prevent any security issues around leaking the private key of a real certificate.
Let’s walkthrough the steps to trying an https endpoint on the Development Fabric:
1) open the ServiceDefinition.csdef file in the CloudService project in Visual Studio and add a second InputEndpoint to the WebRole:
<InputEndpoint name="HttpIn" protocol="http" port="80" />
<InputEndpoint name="HttpsIn" protocol="https" port="443" />
2) If you have a self-signed certificate that meets the requirements above, you can skip ahead to step 9. Otherwise, let’s use the IIS manager to create a self-signed certificate
3) Open the IIS Manager and select “Server Certifiates”
4) On the right side under “Actions”, select “Create Self-Signed Certificate…”
5) Follow the steps in the IIS Manager and you’ll have a new self-signed cert that supports Server Authentication and has an exportable private key.
6) The newly created cert will be put in the Personal store in the Local Computer location. Windows Azure Tools (including cspack) look for the certs in the Personal store in the Current User location (we needed to settle on a location and didn’t want it to be one that requires admin elevation).
7) To move the certs to the Current User location, you can run mmc, add the Certificates snap-in for both “My User Account” and “Computer Account” and drag and drop the certificates to the Personal store in the Current User location. Alternatively, you can export and import.
8) If you ever export/import the cert, make sure you export the private key and on import mark the key as exportable:
9) Right click on the Cloud Service project in the VS Solution Explorer and click “Properties”. Click on the SSL tab and check to Enable SSL Connections under Development and click “Select from Store…”.
10) Select your certificate. Hit F5 to run.
11) Navigate to the https endpoint -- the browser will complain as expected because you are using a self-signed certificate:
12) To see the actual ports that were used for your service, you can bring up the Development Fabric UI (right click on the Development Fabric tray icon) and click on the Service Details for your Deployment:
13) When you are ready to publish to the real cloud, use the SSL Cloud Service settings to select a certificate for Publish – this is the certificate that is used when publishing for deployment.
PingBack from http://asp-net-hosting.simplynetdev.com/adding-an-https-endpoint-to-a-windows-azure-cloud-service/
Thank you for submitting this cool story - Trackback from DotNetShoutout
Here's a helpful walkthrough on how to add an https endpoint to a Windows Azure Cloud Service. [Fixed
Jim, this was really helpful. I've got a little addition that might be of help to anyone who wants to simulate this working but not get the warning about the certificate not matching the certificate (during testing): if you modify your hosts file to map 127.0.0.1 to the name of the self-signed certificate you won't get a certificate warning (on your local machine). Please do note that a) be careful with this - if you forget you did this you'll eventually be sorry so "handle with care"; b) this will only work if you redirect your page on launch to the new name; and c) this is obviously not going to work up in the Azure fabric - however you're going to want a real certificate for that anyway!
I have tried implementing this on the cloud, and I noticed there are a couple of steps before deploying the solution (deploy the certificates etc.)
are there any thoughts about deploying the certificates along with the cspkg?
Thanks DaveT, great post.
With the November release, you can no longer deploy the certificates with the cspkg.
In other words, this post is now obsolete and will be updated with the new mechanism (similar to your post in fact)
thanks jnak, I noticed that there was a way of doing it with the previous sdk, I thought I may have been missing something. Good to have confimation.