Multiple Domain Name to the same Cloud Service and SSL Certificates

  • Article

So most probably you got the following error while browsing a cloudapp.net cloud service hosted in Windows Azure.

There is a problem with this website's security certificate. The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept data you send to the server.
We recommend that you close this webpage and do not continue to this Web site.

One website ( WebRole in case of Azure) can be associated with one certificate only and this is by design. This is not an Azure PAAS WebRole but an IIS limitation till now.

In case you have the following scenario where multiple DNS (CNAME) names need to be mapped to the same cloud service or hosted service.

a) www.contoso.com => https://foo-prod.cloudapp.net

b) www.fabrikam.com => https://foo-prod.cloudapp.net

While this is not a problem without a certificate, with an SSL certificate you might get a security warning and the reason is as below.

The certificate is used by the WebSite to let the client know that is can be trusted. In the current case you may have two certificates on the Windows Azure Management Portal but only one can be associated with the WebRole and that is by design as in IIS only one certificate can be associated with one WebSite.

a) The certificate that the WebRole may be using currently was say issued for www.contoso.com . So the certificate metadata has this information on the Server Side.

b) When we use www.fabrikam.com we ultimately land up with https://foo-prod.cloudapp.net

c) The WebSite sends the client certificate to the browser and it will get flagged as below.

 

  

d) If you hit Continue to this website it will take you to the actual site without any issues.

e) Now let’s look at the Certificate. The Issued to part has www.contoso.com but you are browsing to a site www.fabrikam.com

 

f) The WebBrowser correctly flags it off saying “Hey! You browsed for www.fabrikam.com but the certificate returned was for www.contoso.com . Something is fishy!!!”

g) To overcome this you can use the Subject Alternative Name and get the name www.fabrikam.com added to it. This needs to be done by the certificate vendor from you will get your SSL certificate.

A live example can be found if you browse to the site https://www.digicert.com/subject-alternative-name.htm and look for the property of the certificate.

 

 

So now the browser will look though the list of alternate names and if it matches the one being browsed it will not flag it.

In case you want to use multiple DNS names then the secondary names have to be added to the Subject Alternative Number of the Certificate. This single certificate needs to be uploaded to the portal and the thumbprint provided to the cloud service. The site can be now browsed without any SSL warnings using either if the names www.contoso.com or www.fabrikam.com or any other alternate DNS name.

 Angshuman Nayak, Cloud Integration Engineer