This post have been updated for newer versions of Azure and IIS. View the Microsoft Azure: Secure Site with SSL certificate (revisited) or continue reading below.
Learn how you can create the CSR (Certificate Signing Request) for Windows Azure, using Internet Information Services 7.0 on Windows Server 2008 R2. The CSR is used to generate the proper SSL by any certificate provider. You will know learn how to go through the process of securing your Windows Azure hosts and enable users to access your services over HTTPS.
Certificate Signing Request
First you open IIS Manager and navigate to the root element for the web server. Open the Server Certificates by double-clicking on the icon, as seen in the screenshot.
On the right side, there is an action by the name Create Certificate Request. Click this link and a new dialog will appear. Fill out this dialog according to your information details. Make sure you don’t type the wrong URL of the website you want to secure. Depending on the type of certificate you’re applying for, you might use a wildcard or not.
The next step in the wizard allows you to choose the cryptographic service provider. Choose the Microsoft RSA one and set the bit length to whatever your requirements are. I set mine to 2048. The last step is to save the request to your local machine. Save the file somewhere and you’re done with the request.
Purchasing SSL Certificate
Now you’re ready to purchase an SSL certificate. There are many providers of certificates and there are a wide array of available certificate types. They can be used for secure email, signing software code, securing web server communication and more. There are additionally multiple levels of security, some certificates include a green URL bar which improves the visibility of the secure communication channel.
Open the .txt file you created with the request. Copy everything inside the file, it should begin with “—–BEGIN NEW CERTIFICATE REQUEST—–“.
Paste the content into the website where you have purchased the SSL certificate. See the screenshot below for an example.
Complete the procedures required by your certificate provider. When you’re complete, you should be able to download or receive the certificate by email. The certificate comes in the same way as the request, if you receive it by email, copy the content and save it to a new file with the ending .cer. The certificate starts with “—–BEGIN CERTIFICATE—–“.
Installing and exporting SSL certificate
Next step is to install the SSL certificate on your local web site in IIS. We will install the certificate and later export it for use on Windows Azure.
Go back to IIS Manager and the Server Certificates window. Below the link we used earlier there is another one named Complete Certificate Request. Click this and complete the wizard.
If everything is correct, the certificate should be in the list and when you open it, validate that it’s valid. See example below.
Exporting to .pfx file
Next important step is to export the newly installed certificate to an .pfx file. You can do this by clicking the Export link in the same page where you imported the .cer file. It’s advised that you enter a password for additional security, if the .pfx file is lost or stolen, they can’t use it unless they know your password. Export the file to the local machine, we will use this file later on to upload it to Windows Azure.
If you’re developing a web site using Windows Azure, I suggest mapping a virtual directory on the local IIS to your web-application. This makes it possible to test your site through IIS, as well as the built in web server in Visual Studio, and through the Windows Azure Fabric that runs locally.
Go into the web site and modify the bindings. Add a new binding which uses HTTPS protocol and pick the newly installed SSL certificate.
If you want to, you can now verify that the SSL certificate is working properly on your local machine. Before, you will see an security warning that the certificate is invalid (wrong URL). This is to be expected.
Adding Certificate to Windows Azure project
Now that the certificate is installed on IIS, we need to install it for the local user that is running Visual Studio with the Windows Azure project. The certificate has to be installed in the local store, for Visual Studio to find it in the properties dialog on your project.
Open Windows Explorer and locate your certificate, this is the .cer file that we saved earlier. You need to open it from Windows Explorer and not from IIS Manager, for the “Install Certificate” button to appear. In the installation wizard, choose to install the certificate in the Personal store.
Open the settings of your role, you do this by double-clicking the icon below the Roles folder under your Windows Azure project in Visual Studio. Navigate to the Certificates tab and choose Add Certificate. Give it a name, I like to use the domain name for simplicity. Choose LocalMachine as the store location and store name as My. Click the button to open a dialog where you can choose the newly installed certificate.
Last step before we move on to the next one, which is uploading our private key to Windows Azure, is to configure the HTTPS endpoint. Navigate to the Endpoints tab in the same window and enable HTTPS. Pick the correct certificate from the dropdown.
Adding Certificate to Windows Azure hosts
Navigate to http://windows.azure.com/, login and open your project. At the bottom of the screen where you see the current status of your virtual machines, there is a section named Certificates. Click the Manage link to continue.
Upload the .pfx file you exported earlier. Enter the password you wrote while exporting. Click Upload to continue.
Go ahead and deploy your project again, you might be required to delete the existing deployment before you can upgrade. This is the case if you’ve moved from a temporary self-signed SSL to an official one. When the new deployment is complete, your web site works with HTTPS! Below is a screenshot of Boks running on Windows Azure with HTTPS.
Securing your services with HTTPS is important to ensure the privacy and safety of your customers and users. Never allow anyone to authenticate their credentials with your site unless it’s with HTTPS. When you don’t use HTTPS, all the information the user enters on your web site can be sniffed and logged by third parties at various steps in the network from the client computer to your hosted server. In many cases, this data travels across multiple country borders.
Installing and configuring HTTPS certificates is sometimes hard, but I hope this walkthrough makes you aware of the important and how quickly and easy you can get up and running with a valid SSL certificate.
There are many examples on the first part of this walkthrough, namely the one to request certificates and get them approved. How do I… Request and install SSL certificates in IIS 7.0? by Mark Kaelin is one which explains more in details the various steps. Do a search to find more walkthroughs if you’re having problems.