We are building an enterprise application which is hosted on Azure App Service. The app service calls an internal inventory service to retrieve data. As part of initial call to the inventory service, it requires us to pass the .cer certificate for the calls.
The company issues certificates and acts as a Certificate Authority.
Question : is it possible to trust the internal company as a Certificate Authority in App service, so that, the app services trusts calls from the internal services.
This will be of huge help, because the certificate issues by the internal company CA expire each year and we will need to re-upload a valid certificate each time.
Any help will be much appreciated.
Unfortunately, you cannot add a certificate to the trusted certificate authority on an Azure Web App. The security implications would be quite bad.
To use a certificate in App Service, the certificate must meet all the following requirements:
• Signed by a trusted certificate authority
• Exported as a password-protected PFX file
• Contains private key at least 2048 bits long
• Contains all intermediate certificates in the certificate chain
Below Links will help you in configuring certificates in app service if you are not looking to secure a custom domain with an SSL binding.
Add a TLS/SSL certificate in Azure App Service
Use a TLS/SSL certificate in your code in Azure App Service
But you can override the framework code for SSL verification to include your particular cert
ServicePointManager.ServerCertificateValidationCallback
Refer the SO which will help you in overriding the framework
Related
I am somewhat new to websites and I have created a Wordpress website from marketplace on azure app service.
Can someone help me on how to add SSL certificate to it?
I have no way so war but I want to add SSL certificate added to Website.
If you have purchased an App Service certificate which is private certificate that's managed by Azure. It combines the simplicity of automated certificate management and the flexibility of renewal and export options. Refer to these step by step document: Import an App Service Certificate
If you already have a private certificate from a third-party provider, you can upload by following this document:
Upload a private certificate Also, See Private certificate requirements.
The microsoftgraph/nodejs-sentiment-bot-sample can run on your localhost with a self-signed certificate. What changes are necessary in order to deploy it on Azure regarding this certificate?
The Bot Framework works with bots deployed on any cloud hosting service, as long as you have an internet-accessible endpoint and a valid SSL certificate. If you are deploying to Azure App Service, your projectname.azurewebsites.net is covered by the existing *.azurewebsites.net SSL cert, so you should not need any additional configuration.
On the other hand, if you want to host on another cloud provider, the only requirements is that you have a current and valid SSL certificate registered to your domain name.
What is meant by "current and valid"? -- Most of the checks for "current and valid" are standard checks for server SSL certificates: the Certificate Name must match the hostname, it must not be expired, it must not be listed in a CRL, it must have the correct set of EKUs, etc.
Most importantly, your SSL certificate must chain to a root certificate authority trusted by Microsoft. The latest list of these CAs is available here: http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants-v-2016-april.aspx
For more information on deploying your bot, see: https://learn.microsoft.com/en-us/bot-framework/deploy-bot-overview
https://www.ssllabs.com/ssltest/analyze.html?d=recruit.equitysim.ai
Situation:
A client needs to access our site over a secure connection but is unable to do so because of a problem with our certificate.
We purchased a wildcard certificate and set it up as per the documentation. If you notice in the provided link, our certificate is trusted.
We are using the Azure App Service to host our website on a paid level that includes custom domain and SSL support.
Problem:
According to the test, it appears that Microsoft's SSL certificate is not trusted - alternative names mismatch (See Certificate #2). We believe this to be the reason why our client is unable to access our site.
Any thoughts on the matter? We know it isn't an SNI problem because we have another site that is hosted on a VM that also requires SNI support and they can visit that site just fine.
How can I install a certificate into an Azure Web App so that my azure webapp can communicate with a remote service via SSL (this particular certificate is not signed by a public CA)
I generated an ssl certificate with openssl and when I install it to the trusted root certificate authentication store on my local computer the runs fine. However when I upload the cert via the management portal I get errors that the certificate isn't trusted (which is correct) and the correct error for when a certificate is not installed.
How can I install a private SSL certificate into the trusted root certificate store on an azure web app?
Unfortunately, we cannot add a certificate to the trusted certificate authority on an Azure Web App. The security implications would be quite bad if that were possible. More detail info please refer to another SO thread.
But We can use Azure Cloud Service that allowed us to do that. More info please refer to the document.
If we want to install certificates to Personal certificate store , we could upload a .pfx file to the Azure App, and add an App setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. Then the certificates will be installed to the Personal certificate store . More detail please refer to Using Certificates in Azure Websites Applications.
How to obtained an SSL certificate please refer to the official document Secure your app's custom domain with HTTPS.
The easiest way to get an SSL certificate that meets all the requirements is to buy one in the Azure portal directly. This article shows you how to do it manually and then bind it to your custom domain in App Service.
I'm working on large scale web application with lots of customer data. It's a CMS system, where the content authoring resided on-premise and delivery website hosted in azure.
From time to time we need to perform deployment of new changes and also publish of content from on premise cMS to azure.
I understand that we can use either Publish Setting or self-signed Certificate for authentication. But what I don't know is:
Which option (Azure Publish Setting or Self Signed Cert) is more secure to avoid MiTM attack?
Do we need to buy third party CA signed Certificate and if so what type (as it's not for website but for azure X509 authentication)?
Thank you heaps.
Simply use https instead of http when you are publishing data to protect it from tampering and eavesdropping during transmission.
A self signed certificate will suffice. You do not need to buy a trusted CA certificate for this purpose since you control both ends of transmission and can pre-configure that your self-signed certificate is trusted.
You only need a CA certificate when you expect random clients to trust your certificate, like when you expose your own https endpoint.
You may wish to have a look at Azure Vitual Network for alternative approaches.