This project is read-only.

How To: Enable SSL with a Self-Signed Certificate on Windows Azure

Objectives

  • Create a self-signed certificate to be used to encrypt an SSL channel
  • Upload a certificate to Windows Azure using the Windows Azure Management portal
  • Enable an HTTPS endpoint on a Windows Azure web role

Summary

Enabling SSL on a Windows Azure web role involves a few easy configuration steps, and deployment of a certificate. HTTPS must be enabled on the web role as an endpoint, the certificate must be associated with that endpoint, and the certificate must also be uploaded to Windows Azure.

This how to provides steps on completing these tasks and enabling SSL on a web role.

Contents

  • Pre-requisites
  • Summary of Steps
  • Step 1 - Create and Install cert
  • Step 2 - Create VS project
  • Step 3 - Upload the certificate to Windows Azure Management portal
  • Step 4 - Publish the project to Windows Azure
  • Step 5 - Test the SSL

Prerequisites

  1. Windows Azure SDK
  2. Windows Azure Tools for Visual Studio 2008

Summary of Steps

  • Step 1 - Create and Install cert
  • Step 2 - Create VS project
  • Step 3 - Upload the certificate to Windows Azure Management portal
  • Step 4 - Publish the project to Windows Azure
  • Step 5 - Test the SSL

Step 1 - Create and Install cert

In this step we will use makecert.exe to create a self-signed test certificate. We will then convert that certificate to .PFX format such that it can be uploaded to Windows Azure.
  1. Open a Visual Studio command prompt
  2. Change your active directory to the location where you wish to place your certificate files.
  3. Enter the following commands:

makecert -r -pe -n "CN=AzureSSL" -sky 1 "azuressl.cer" -sv "azuressl.pvk" -ss My

When prompted for a password, enter "password1" You will need to do this 3 times.

pvk2pfx -pvk "azuressl.pvk" -spc "azuressl.cer" -pfx "azuressl.pfx" -pi password1

The first command creates the certificate and installs it in the certificate store under the current user’s personal certificates. This allows you to select the certificate from the Visual Studio UI.

The second command will convert the certificate into a format Windows Azure Management Portal will accept.

NOTE: At the time of writing this How To, the management portal is not accepting PFX files generated in this manner. To work around this problem, use the Certificates MMC snap-in to install the .PFX file created here into the Local Machine personal store, and then export the certificate to a new .PFX file. Use this file to upload to Windows Azure instead.

Step 2 - Create VS project

In this step we will create a bare-bones test project containing the web role we will enable SSL for. After creating the project we enable the SSL endpoint and attach the certificate to that endpoint.
  1. File, New Project
  2. Select "Cloud" from "Installed Templates" list on left
  3. Type "AzureSSL" for name, and hit OK
  4. Select Web Role from the left, and ">" to add to solution
  5. Click OK
  6. Right-click \Solution\AzureSSL\Roles\WebRole1, and select "Properties"
  7. Select "Certificates" tab on left
  8. Click "Add Certificate" button on top bar
  9. Change "Store Location" drop-down to "CurrentUser"
  10. Click "..." button under Thumbprint
  11. Select AzureSSL cert from list and click OK
  12. Select "Endpoints" tab on left
  13. Enable the "HTTPS:" checkbox
  14. Select "Certificate1" from the SSL certificate name drop-down

Step 3 - Upload the certificate to Windows Azure Management portal

In this step we will upload the test certificate to Windows Azure. This step must be done before publishing our test project or an error will occur on deployment of the Visual Studio project because it will attempt to reference a certificate that does not exist.
  1. Open http://windows.azure.com
  2. Select the Service you will deploy to, or create one if necessary
  3. At the bottom of the management page, find the Certificates area, and click the "Manage" link on the right
  4. Hit the "browse" button and select the PFX file created in step 1
  5. Enter "password1" and confirm it in the password textboxes
  6. Click "Upload"

Step 4 - Publish the project to Windows Azure

In this step we will deploy our project and enable it for testing.
  1. In your Visual Studio project from step 2, right click \Solution\AzureSSL and select "Publish"
  2. In the Windows Explorer window that pops up, copy the path to the directory displayed into the clipboard
  3. Switch to your browser with the Windows Azure Management portal open
  4. If you are still in the manage certificates screen, return to the service management screen
  5. Click the "Deploy" button
  6. Under "Application Package" area, select the "Browse" button
  7. In file open dialog that pops up, paste the path from your clipboard to navigate to your VS package
  8. Select the AzureSSL.cspkg, and click "Open"
  9. Under the "Configuration Settings" area, select the "Browse" button
  10. Select the ServiceConfiguration.cscfg file, and click "Open"
  11. At the bottom of the Deploy screen, enter AzureSSL in the textbox
  12. Click "Deploy"
  13. When the deployment completes, click the "Run" button

Step 5 - Test the SSL

In this step we access our test project and validate that the page can be delivered using SSL.
  1. Once the Web Role has completed initializing, click on the "Web Site URL" link
  2. Change the URL scheme to HTTPS (in other words change http to https), and open the page

Browser behavior will vary here, but most likely you will receive a warning about the certificate being for a different site, or not being from a trusted source. If you permit access to the site, the page will render empty and you browser should indicate that the page was delivered over SSL with a lock icon or something similar.


Last edited Jun 14, 2010 at 7:40 PM by paulenfield, version 3

Comments

bgever Jul 10, 2013 at 3:23 PM 
Good article. Probably worth to mention that the files created with the commands with persist on disk, and that especially the private key file (.pvk) should be stored in a secure place.

dgartner Mar 1, 2013 at 8:12 PM 
Nice tutorial, still valid as of 3/1/13. Don't forget to specify public port 443 in your input endpoint if configuring HTTPS.