Complete Solution: Adding SSL Certificate with Windows Azure Application


First of all you will need to get
SSL certificate from a certificate authority (CA) for your domain i.e. www.yourcompanydomain.com. Please
be sure that you are not going to request SSL certificate for cloudapp.net as
this is not your domain, your service is hosted there. You will have to
register your actual domain i.e. www.yourcompanydomain.com
at a domain register service of your choice. After it, you will request SSL
certificate for the same domain i.e. www.yourcompanydomain.com
from a Certificate Authority of your choice.


I have categorized this process
in 4 steps as below:

1.      
Create CSR for your
domain and getting SSL Certificates from your desired CA

2.      
Installing SSL certificates
in your development Machine

3.      
Uploading SSL certificates
on Windows Azure Portal for your Service and including in your HTTPS endpoint

4.      
Setting up proper
CNAME entry for your domain in DNS register


Step 1: Create CSR for your domain and getting SSL
Certificates from your desired CA

You can use IIS7 (Either from
Windows Server 2003/2008 or Window XP) to generate a certificate request for
your domain and use the CA to get the SSL certificates from your CA. So far I
know, IIS7x running on Windows 7 does not allows to generate CSR. To get the
SSL certificate for your domain you will need to pass a CSR request to your CA
and you can use IIS server to create CSR request.



  • For IIS server 7.x
    please use the following details:

http://www.digicert.com/csr-creation-microsoft-iis-7.htm



  • For IIS server 5.x
    and 6.x please use the following details:

http://www.networksolutions.com/support/csr-for-microsoft-iis-5-x-6-x/


Step 2: Installing SSL certificates in your development
Machine

In most of the cases you will
receive minimum 3 certificate from your CA or may be more:

1.       
Domain Certificate

2.       
Root Certificate

3.       
Intermediate
certificate

You will received these
certificates either separate PFX files or chained into one PFX certificate file.
I have seen most of the time, 1 PFX file has all the certificates in it. You
will also need to download a few CER files from the CA as well. Once you have
all the files please install all of these certificates (PFX and CER) in your
development machine. Once you have installed all necessary certificates in your
development machine you will be able to verify your domain correctly with proper
root certificate and intermediate certificate. You will see your domain
certificate and chained intermediate certificate, stored into your machine account
personal storage however the root certificate will be stored in privilege root
storage. This step will also help you to select and include all the necessary certificates
in your Windows Azure Application configuration and setup HTTPS Endpoint.


Step 3: Uploading SSL certificates on Windows Azure
Portal for your Service and including in your HTTPS endpoint

After you installed these
certificate in your development machine, you will need to upload these SSL
certificates (all) to certificates section inside your Service on Windows Azure
Portal. You also needs to include all the certificates inside your Service
Configuration file as described in following blog:

http://blogs.msdn.com/b/azuredevsupport/archive/2010/02/24/how-to-install-a-chained-ssl-certificate.aspx


Step 4: Setting up
proper CNAME entry for your domain in DNS register

Finally, once you
have the SSL certificate setup correctly in Windows Azure Portal and in your
HTTPS Endpoint and Service Configuration file, you just need to add CNAME entry
in your DNS service to route it correctly. To setup proper CNAME entry please
follow:

http://blog.smarx.com/posts/custom-domain-names-in-windows-azure






 

Comments (6)

  1. This blog has so many good information to learn. I really love reading it.  

  2. Greg Oliver says:

    Regarding your comment "So far I know, IIS7x running on Windows 7 does not allows to generate CSR.", my colleague Ricardo Villalobos found this technet article that documents the procedure: technet.microsoft.com/…/cc732906(WS.10).aspx.  

  3. Justin says:

    I found this article helpful as well (specifically for step 2): msdn.microsoft.com/…/wazplatformtrainingcourse_deployingapplicationsinwindowsazurevs2010_topic5

    It is an example using a self signed certificate but the same concepts apply.  My certificate came as a .CER file so it helped to know how to "export" to a PFX file.

  4. Jerry says:

    In Step 1, don't you need to generate the CSR from the specific machine that will later have the cert installed? How do you do that in Azure?

  5. Eric Barr says:

    @Jerry I was wondering if I could really generate a CSR on my development machine IIS instead of in Azure. Surprisingly, you can.

    Regarding step 2, after generating the CSR, I purchased an SSL Certificate from GoDaddy.  They gave me a .crt and a .p7b file.  Then I had to go back to IIS and choose "Complete Certificate Request".  It asked for a response file and I chose one of those (can't remember which).  That created the certificate locally, then I still had to export that to get the .PFX file that I could upload to Azure.

  6. James says:

    Looks like you can generate a certificate on your DEV machine then upload it into Azure. The PFX file that you upload to Azure contains the SSL Certificate plus the private RSA key of your DEV machine, so it can install and use it properly.

    There's a step-by-step guide at http://www.andrewdenhertog.com/…/creating-adding-ssl-certificates-azure that will take you through the whole thing