I recently got an email from Microsoft regarding the TLS Certificate changes. Had some difficulty understanding few action steps regarding it. Can anyone please explain the below points in detail.
Would be a massive help!
The TLS Change would apply to anyone who is trying to communicate to Azure services with their application. This is for applications/services etc. which call any Azure endpoint for execution. While calling the Azure endpoint the clients are required to present the certificate and trust the ones provided by Azure during the secure communications (a step called SSL handshake) between both the parties. In this case, the application needs to trust the Certificate authorities which granted the Azure service/endpoints the certificates so the certificate-based errors do not come during any secure communication between the application and Azure endpoints. Your application may be impacted if it explicitly specifies a list of acceptable CAs. This practice is known as certificate pinning.
There are some ways to detect if your application is impacted. You can follow the below article to find out more information:
https://learn.microsoft.com/en-us/azure/security/fundamentals/tls-certificate-changes#will-this-change-affect-me
https://azure.microsoft.com/en-us/updates/site-recovery-tls-certificate-update/
If you have any specific question, you can post the same in the below thread which is being continuously monitored for Azure TLS certificate questions:
https://learn.microsoft.com/en-us/answers/questions/117444/reminder-azure-tls-certificate-changes.html
Related
I have a [major corporate] client who are about to change the SSL certificates that they use with their API services.
I have an application with APIs that consume those of our client (server to server, not browser to server).
Our client has issued a Linked CA certificate to 3rd parties (such as my company). We have been instructed to install the supplied certificate onto our servers.
I have been tasked to prove that our own service will continue to work after their change. I believe that I may need to be able to demonstrate the chain of trust.
The supplied Linked CA is "DigiCert Global CA G2".
Our own APIs are hosted on an Azure API/WebApp.
I do not believe that we should even be considering installing Linked CA's on Azure app services. I suspect that MS manage this entirely as part of the platform.
I have raised this question as a helpdesk ticket with Azure support, but after a few false-starts explaining the issue, the advise we have now received is a reference to this article https://azure.microsoft.com/en-us/blog/enabling-client-certificate-authentication-for-an-azure-web-app/. With genuine respect to MS helpdesk, I don't believe that this addresses my issue.
To clarify, I am explicitly not talking about installing an SSL certificate on our own systems.
Our client has not yet started using their replacement SSL certs ... so I'm unclear how I might go about positively proving that the replacement SSL certs will work, without having visibility of them in advance.
To distill my question into two parts:
"is what I've been tasked to do even possible without visibility of the subject SSL?".
"should I be contemplating installing a Linked CA onto an Azure App service? (and if so, how)".
I am playing around with Azure API Management as a SOAP passthrough. I was hoping to get some analytics in place to preview the service.
My trouble is that my client endpoint has SSL validation in place. I can't figure out how to load the .cer file in Azure to satisfy this requirement. At the very least I was hoping to find an option to turn off SSL validation (like I can with curl or even postman).
any one found a way to accomplish this?
API Management provides the capability to secure access to the back-end service of an API using client certificates. Below guide shows how to manage certificates in the API publisher portal, and how to configure an API to use a certificate to access its back-end service.
How to secure back-end services using client certificate authentication in Azure API Management
If you are calling the API Management service with https then the certificate that is presented will match the host name that you are calling with. I'm assuming you were able to change the client to point to your service at https://{servicename}.azure-api.net ?
Or did you change your local hostname file to make that happen? If that's the case, then that is why you are getting an SSL error. Without being able to re-compile your client you cannot disable the SSL validation.
You could configure the custom domain in API Management and if you have access to the certificate, you could attach it to the custom domain. However, you would actually have to change the public DNS for the domain to make that work. I don't think you can enable a custom domain in API Management, provide the certificate and only use your local hostname file to do the mapping. But I will check.
The steps under 'Scenario 7: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel' in Troubleshooting 4xx and 5xx Errors with Azure APIM services is what worked for me. I'm using this approach to bypass validating the SSL cert until I switch from using a self-signed cert to a CA signed one.
Apologies for what is probably a question about a simple task but I'm brand new to Azure and a little worried I get this wrong. Actually, I have a new client and don't even have the access yet to their Azure yet have a proper look. The question is:
My new client has an existing MVC application running on IIS within Azure. This application must communicate with a third party SOAP (.asmx) web service that requires parts of the SOAP message to be signed using an SSL digital certificate.
So, I need to install the certificate on Azure. My problem is that the articles I have found deal with securing the website using the certificate and Https - which I don't want.
Can someone please point me to a good article (or show here if simple enough) that shows how to install it for the purpose of communicating with this third party service?
Any help is really appreciated here so that I can hit the ground running.
The approach for installing any certificate is the same. So you would use the same approach as you would for installing SSL certificate. So the steps would be:
Upload the certificate first in the cloud services certificate section. Note down the certificate thumbprint.
In Visual Studio, open up your role's properties and go to "Certificates" tab and specify that certificate thumbprint along with the certificate store location where you want this certificate to be installed.
This question will be easy for those who work in cloud services or for those who having some good knowledge about windows azure.
I have a ssl certificate specified its thumbprint and other details in configuration file. When my package is deployed in the cloud service, the certificate doesn't get grouped under trusted certificate group.Insted it gets grouped under intermediate certificate group in all the instances. Because of this I am getting some certificate issue while accessing a site.
On googling I could find from the microsoft blog, that all the certificates from trusted sources will be grouped under trusted certificates in the azure cloud service virtual machines. But here it is not doing so..
Any ideas on this?
Any comments would be really appreciated..
When deploying certificates to an Azure cloud instance, you may have to include more than jus the SSL certificate to secure the domain. You may also have to list any intermediate certificates, as well as the root certificate. Have a look at this article that describes how to confiugre chained certificates for Azure and let me know if it helps at all.
http://blogs.msdn.com/b/azuredevsupport/archive/2010/02/24/how-to-install-a-chained-ssl-certificate.aspx
This was due to an os upgrade from Microsoft. It was fixed by them and now this seems to be working perfect..
For more: visit http://msdn.microsoft.com/en-us/library/windowsazure/ee924680.aspx
I'm working on large scale web application with lots of customer data. It's a CMS system, where the content authoring resided on-premise and delivery website hosted in azure.
From time to time we need to perform deployment of new changes and also publish of content from on premise cMS to azure.
I understand that we can use either Publish Setting or self-signed Certificate for authentication. But what I don't know is:
Which option (Azure Publish Setting or Self Signed Cert) is more secure to avoid MiTM attack?
Do we need to buy third party CA signed Certificate and if so what type (as it's not for website but for azure X509 authentication)?
Thank you heaps.
Simply use https instead of http when you are publishing data to protect it from tampering and eavesdropping during transmission.
A self signed certificate will suffice. You do not need to buy a trusted CA certificate for this purpose since you control both ends of transmission and can pre-configure that your self-signed certificate is trusted.
You only need a CA certificate when you expect random clients to trust your certificate, like when you expose your own https endpoint.
You may wish to have a look at Azure Vitual Network for alternative approaches.