Adding an HTTPS Endpoint to a Windows Azure Cloud Service

[Update: With the November 2009 release of the Windows Azure Tools - this post is now obsolete - an updated post is available here]

Lately there has been a couple of threads on the forum and some internal email around setting up an https endpoint on a Windows Azure Cloud Service.

A good starting point is this article, but there are some common issues that people run into that I wanted to talk about.

First are the cert requirements. 

  • The certificate must contain a private key that is marked exportable
  • The certificate must have the Server Authentication Intended Purpose

When running on the Development Fabric, the certificate also needs to be self-signed – this is to prevent any security issues around leaking the private key of a real certificate.

Let’s walkthrough the steps to trying an https endpoint on the Development Fabric:

1) open the ServiceDefinition.csdef file in the CloudService project in Visual Studio and add a second InputEndpoint to the WebRole:

   <WebRole name="WebRole">
    <InputEndpoints>
      <InputEndpoint name="HttpIn" protocol="http" port="80" />
      <InputEndpoint name="HttpsIn" protocol="https" port="443" />
    </InputEndpoints>
  </WebRole>

2) If you have a self-signed certificate that meets the requirements above, you can skip ahead to step 9.  Otherwise, let’s use the IIS manager to create a self-signed certificate

3) Open the IIS Manager and select “Server Certifiates”

image

4) On the right side under “Actions”, select “Create Self-Signed Certificate…”

image

5) Follow the steps in the IIS Manager and you’ll have a new self-signed cert that supports Server Authentication and has an exportable private key.

6) The newly created cert will be put in the Personal store in the Local Computer location. Windows Azure Tools (including cspack) look for the certs in the Personal store in the Current User location (we needed to settle on a location and didn’t want it to be one that requires admin elevation).

7) To move the certs to the Current User location, you can run mmc, add the Certificates snap-in for both “My User Account” and “Computer Account” and drag and drop the certificates to the Personal store in the Current User location.  Alternatively, you can export and import.

8) If you ever export/import the cert, make sure you export the private key and on import mark the key as exportable:

image

9) Right click on the Cloud Service project in the VS Solution Explorer and click “Properties”.  Click on the SSL tab and check to Enable SSL Connections under Development and click “Select from Store…”. 

image

10) Select your certificate.  Hit F5 to run.

11) Navigate to the https endpoint -- the browser will complain as expected because you are using a self-signed certificate:

 image

12) To see the actual ports that were used for your service, you can bring up the Development Fabric UI (right click on the Development Fabric tray icon) and click on the Service Details for your Deployment:

image

13) When you are ready to publish to the real cloud, use the SSL Cloud Service settings to select a certificate for Publish – this is the certificate that is used when publishing for deployment.

Troubleshooting

  • If you see the error “Role start failed for one or more roles” when specifying an https endpoint, most likely this is because you are trying to use a certificate that does not have an exportable private key.
  • If you see the error “can't locate service descriptions”, most likely this is because you attempted to use a non self-signed certificate when running on the Development Fabric.