Using Self-Signed certificate for Web Sites on Windows Server for Hosting Service Providers

  • Article

 

Microsoft is bringing Windows Azure Web Sites, Virtual Machines, Service Management Portal and API to Windows Server, enabling service providers to easily deliver high-density website hosting and Infrastructure as a Service scenarios in a Windows Server-based environment.

 

For more information regarding this exciting product, check out the document here.

 

One of the coolest feature for this products is SSL. Instead of using a wild card certificate for all web sites, with the Centralized Certificate Store feature introduced by IIS 8, it allows customer using their own certificate for SSL web site which exactly match their web site DNS name. This significantly brings the SSL web sites density to a higher level.

 

For testing/development purpose, you may want to use self-signed certificates. This article talks about how to use self-signed certificates on Web Sites on Windows Server for Hosting Service Providers.

 

At first, I tried using the powershell cmdlet “new-selfsignedcertificate”, and can’t make it work. Then, I follow this article and it works perfectly.

https://blogs.msdn.com/b/asiatech/archive/2012/02/06/create-certificates-via-commands-for-testing-purpose.aspx

 

Here are the steps.

Create Root Authority

makecert -n "CN=MyTestCA" -r -sv TempCA.pvk MyTestCA.cer

- It will pop up dialog box to ask you to provide the password for the private key. Please remember that.

- 2 files will be generated: MyTestCA.pvk and MyTestCA.cer

 

Install the Root Certificate

Install the root certificate MyTestCA.cer to the trusted Root Certification Authorities Store (Local Computer Store) on follow roles:

- Sites RestAPI

- Sites Frontend

- Client machines used for testing/developement

 

Generate the Server Certificate

Run follow command to generate the server certificate used for your web site. For example, if your site name is www.test.com, then the command is:

makecert -pe -iv MyTestCA.pvk -n "CN=www.test.com" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -ic MyTestCA.cer www.test.com.cer

 

Export the Server Certificate

The www.test.com.cer generated by above command can’t be used since it doesn’t contains private key. We need to export the key. You can either using the certificate MMC (Local Computer Store) or using follow command (certmgr is a command contains in Windows SDK):

certmgr -c -s -r localMachine MY

Now, you get a certificate named .pfx with private key and protected by password.

 

Enable Self-Signed Certificate

Before using the self-signed certificate, we have to change the host configure to allow self-signed certificate.

- Logon to the controller role using admin

- Open powershell console and run follow command

o Add-PsSnapin WebHostingSnapin

o Set-hostingconfiguration –AllowSelfsignedCertificates $true

 

Upload the Certificate

Finally, you can upload and use your own self-signed certificate on the tenant portal.

- Log on to the tenant portal

- Click the site name you want to upload certificate

- Click the “CERTIFICATES” on the top-right

- Click “UPLOAD CERTIFICATE” in the middle-bottom and follow the instructions

 

Now, open IE and browse to your site using HTTPS, you should see the uploaded self-signed certificate is used.

 

 

See you next time,

 

Wei from APGC DSI Team