TOP

Windows Azure: Secure Site with SSL certificate

This post have been updated for newer versions of Azure and IIS. View the Microsoft Azure: Secure Site with SSL certificate (revisited) or continue reading below.

Learn how you can create the CSR (Certificate Signing Request) for Windows Azure, using Internet Information Services 7.0 on Windows Server 2008 R2. The CSR is used to generate the proper SSL by any certificate provider. You will know learn how to go through the process of securing your Windows Azure hosts and enable users to access your services over HTTPS.

Certificate Signing Request

First you open IIS Manager and navigate to the root element for the web server. Open the Server Certificates by double-clicking on the icon, as seen in the screenshot.

IIS_Server_Certificates

On the right side, there is an action by the name Create Certificate Request. Click this link and a new dialog will appear. Fill out this dialog according to your information details. Make sure you don’t type the wrong URL of the website you want to secure. Depending on the type of certificate you’re applying for, you might use a wildcard or not.

IIS_Request_Certificate

The next step in the wizard allows you to choose the cryptographic service provider. Choose the Microsoft RSA one and set the bit length to whatever your requirements are. I set mine to 2048. The last step is to save the request to your local machine. Save the file somewhere and you’re done with the request.

Purchasing SSL Certificate

Now you’re ready to purchase an SSL certificate. There are many providers of certificates and there are a wide array of available certificate types. They can be used for secure email, signing software code, securing web server communication and more. There are additionally multiple levels of security, some certificates include a green URL bar which improves the visibility of the secure communication channel.

Open the .txt file you created with the request. Copy everything inside the file, it should begin with “—–BEGIN NEW CERTIFICATE REQUEST—–“.

Paste the content into the website where you have purchased the SSL certificate. See the screenshot below for an example.

Digital_Certificate_Order_Form

Complete the procedures required by your certificate provider. When you’re complete, you should be able to download or receive the certificate by email. The certificate comes in the same way as the request, if you receive it by email, copy the content and save it to a new file with the ending .cer. The certificate starts with “—–BEGIN CERTIFICATE—–“.

Installing and exporting SSL certificate

Next step is to install the SSL certificate on your local web site in IIS. We will install the certificate and later export it for use on Windows Azure.

Go back to IIS Manager and the Server Certificates window. Below the link we used earlier there is another one named Complete Certificate Request. Click this and complete the wizard.

If everything is correct, the certificate should be in the list and when you open it, validate that it’s valid. See example below.

Certificate_Installed

Exporting to .pfx file

Next important step is to export the newly installed certificate to an .pfx file. You can do this by clicking the Export link in the same page where you imported the .cer file. It’s advised that you enter a password for additional security, if the .pfx file is lost or stolen, they can’t use it unless they know your password. Export the file to the local machine, we will use this file later on to upload it to Windows Azure.

Export_Certificate

If you’re developing a web site using Windows Azure, I suggest mapping a virtual directory on the local IIS to your web-application. This makes it possible to test your site through IIS, as well as the built in web server in Visual Studio, and through the Windows Azure Fabric that runs locally.

Go into the web site and modify the bindings. Add a new binding which uses HTTPS protocol and pick the newly installed SSL certificate.

IIS_Add_Binding

If you want to, you can now verify that the SSL certificate is working properly on your local machine. Before, you will see an security warning that the certificate is invalid (wrong URL). This is to be expected.

Adding Certificate to Windows Azure project

Now that the certificate is installed on IIS, we need to install it for the local user that is running Visual Studio with the Windows Azure project. The certificate has to be installed in the local store, for Visual Studio to find it in the properties dialog on your project.

Open Windows Explorer and locate your certificate, this is the .cer file that we saved earlier. You need to open it from Windows Explorer and not from IIS Manager, for the “Install Certificate” button to appear. In the installation wizard, choose to install the certificate in the Personal store.

Install_Certificate_Personal_Store

Open the settings of your role, you do this by double-clicking the icon below the Roles folder under your Windows Azure project in Visual Studio. Navigate to the Certificates tab and choose Add Certificate. Give it a name, I like to use the domain name for simplicity. Choose LocalMachine as the store location and store name as My. Click the button to open a dialog where you can choose the newly installed certificate.

Certificate_Selection

Last step before we move on to the next one, which is uploading our private key to Windows Azure, is to configure the HTTPS endpoint. Navigate to the Endpoints tab in the same window and enable HTTPS. Pick the correct certificate from the dropdown.

Endpoints

Adding Certificate to Windows Azure hosts

Navigate to http://windows.azure.com/, login and open your project. At the bottom of the screen where you see the current status of your virtual machines, there is a section named Certificates. Click the Manage link to continue.

Upload the .pfx file you exported earlier. Enter the password you wrote while exporting. Click Upload to continue.

Upload_Certificate

Go ahead and deploy your project again, you might be required to delete the existing deployment before you can upgrade. This is the case if you’ve moved from a temporary self-signed SSL to an official one. When the new deployment is complete, your web site works with HTTPS! Below is a screenshot of Boks running on Windows Azure with HTTPS.

InTheBoks_HTTPS

Conclusions

Securing your services with HTTPS is important to ensure the privacy and safety of your customers and users. Never allow anyone to authenticate their credentials with your site unless it’s with HTTPS. When you don’t use HTTPS, all the information the user enters on your web site can be sniffed and logged by third parties at various steps in the network from the client computer to your hosted server. In many cases, this data travels across multiple country borders.

Installing and configuring HTTPS certificates is sometimes hard, but I hope this walkthrough makes you aware of the important and how quickly and easy you can get up and running with a valid SSL certificate.

Additional Walkthroughs

There are many examples on the first part of this walkthrough, namely the one to request certificates and get them approved. How do I… Request and install SSL certificates in IIS 7.0? by Mark Kaelin is one which explains more in details the various steps. Do a search to find more walkthroughs if you’re having problems.

17 comments. Leave a Reply

  1. Pingback: Security in the Cloud – Application Security and Management API Certificates in Azure cloud | Cumulux

  2. Great article!

    Very helpful, thank you!

  3. Pingback: Trying to deploy SSL Cert to Azure – Webrole stuck in "Waiting for role to start" - Windows Azure Blog

  4. Thanks for this great article. i tried a lot of other articles (even calling godaddy.com) but only your instructions worked like a charm.
    Thanks again!
    Balki

  5. Pingback: // do something here » Blog Archive » Azure + SSL

  6. Pingback: Working with SSL certificates on Azure and IIS7 | Convivial Coding

  7. Thanks for the great post, very helpful. I found a few gotchas for the unwary when I followed your post, so I blogged them here:

    Working with SSL certificates on Azure and IIS7

    Cheers
    Iain

  8. This is great article, but I have one question at the beginning. I assume I need to generate CSR on the Azure server.

    How do I start Server manager on the Azure server?

    • SondreB

      You have to run the Server Manager on a separate Windows Server. Though you could enable remote desktop, or use the new Virtual Machine Role, to run the Server Manager from there.

  9. Awesome thanks so much for that, why don’t Microsoft provide this kind of guide themselves?!

    • SondreB

      Thanks for the comment Sean! It’s interesting to see you are reading and commenting on my blog, as I love your iSpy software :-)

  10. Dave

    I don’t know where to buy the SSL, I’ve seen prices from 65$ up to 1000$,
    Do you have any suggestions ? It’s for securing a Wcf service on azure, no need to get green address bar display since that will be called from a wpf application.

  11. Hi Thanks for the article. Very helpful.

    Once we have done this, how to configure IIS to redirect from

    http://myGreatWebApplication-On-Windows-Azure-Using-ACS.com
    to
    https://myGreatWebApplication-On-Windows-Azure-Using-ACS.com

    Where the chosen solution IS COMPATIBLE WITH Azure ACS, that does some redirections it self ??

    Thanks,

  12. Bharath

    Thanks for the great post!, Helped me in accomplishing certificate for Azure website!

  13. Lou

    Wow, it actually worked! Way too many steps but that’s not your fault.

    It would be helpful to put an overview in like: The goal of this exercise is that we need to have an SSL Certificate on our local machine so that we can deploy it to Azure. There are two important tasks: 1) Create and upload a .pfx version of the certificate to upload to the Azure portal and 2) Add the .crt version of the same certificate to deployed project.

    I’m not sure if I have that overview right, but it would be helpful to have that from you so that I can feel like I can explain to myself what the heck I did.

    Anyway, thanks again!

  14. SAM

    Awesome Post … i have searched msdn for an over year and could not get a simple document as this .

    Not sure why the chimps in microsoft think that all the technical documents have to be complex and boring

Leave a Reply

Your email is never published nor shared.

You may use these HTML tags and attributes:<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>