I have a GoDaddy SSL certificate installed in my Azure web role. It works for most clients, but some clients complain that the certificate is "not trusted". In particular, I have an Azure Scheduler Job wired up to periodically POST to an https endpoint in my web role, but the POST fails. After some investigation, it turns out that the POST fails because the SSL certificate is "not trusted".
The fact that my SSL certificate is not wired up completely correctly is also verified by examining my domain using this tool:
https://www.digicert.com/help
I understand that many clients (web browsers) have the GoDaddy certificate chain (that is, the "intermediate" certificates that get from my SSL certificate to the GoDaddy root CA) baked into them. But some clients (such as the Azure Scheduler) expect my web server to provide not only my SSL certificate but also all of the intermediate certificates up to the root CA.
How do I include the intermediate certificates in my Azure web role?
Note: I am asking this question with the intent of answering it myself (now that I've struggled for a week to figure it out).
Overview of the answer
You need to manually add the intermediate certificates to the Web role "certificates" (in Visual Studio), and you need to upload the intermediate certificates to your Azure Web Role.
Step 1: Convert the p7b file to a pfx for upload to Azure
This step is derived from this article.
Download your certificate files from GoDaddy. That gets you a zip file that contains a crt file and a p7b file. The crt file contains your SSL certificate, but it's not fully baked until you complete the CSR request. See below for details. The p7b file contains the GoDaddy intermediate certificates.
Complete the CSR request using the crt file. See this SO answer for details.
Open the Windows Certificate Manager (certlm.msc)
Import the p7b file into the Local computer/Intermediate Certifcation Authorities/Certificates node.
Export the SSL certificate and its dependencies as a .PFX file. This step works if you export the certificate using Certificate Manager (certlm.msc), but not (as far as I can tell) if you export the certificate using IIS Manager. Find your SSL certificate in the Personal/Certificates node, right-click, and select All tasks.../Export. Tell the wizard to export the private key, and include all certificates in the path and all extended properties.
Step 2: Upload the certificates to the Azure Web Role
Upload the pfx file that you created in the previous step to the Certificates in your Azure Web Role. This will add your SSL certificate and all of the intermediate certificates up to the root CA to your Azure web role.
Step 3: Add the certificates to your Web Role project
This step is loosely derived from this article.
In Visual Studio, navigate to your Web Role (Solution/Azure project/Roles/Your web role), right-click, and select Properties
In the Properties window, select Certificates
Now, you need to manually add a new certificate (actually, you are just adding a new certificate thumbprint) for each intermediate certificate. You can either copy-and-paste the thumbprints from the Azure Portal "Certificates" web page, or (with a little extra work) you can get them directly from the local Windows certificate store.
If you want to get the thumbprints using the built-in "read the certificate from my computer" magic in Visual Studio, you need to first:
Open the Windows Certificate Manager (certlm.msc)
Import the pfx file containing your intermediate certificates into the Personal/Certificates node
Meanwhile, back in Visual Studio, for each intermediate certificate:
Click "Add certificate", then
Enter a meaningful name for the intermediate certificate (the name is for your reference only; it's not used for anything)
Set the Store Name to CA.
Enter the certificate Thumbprint. You can copy-and-paste it from the Web Role/Certificates page in the Azure portal, or, if you've imported the certificates into your personal certificate store (as described above) you can get it by clicking the ellipses in the Thumbprint box and selecting the certificate.
Step 4: Publish and test
Whew. So, now you've converted the p7b and crt files to a pfx file that contains your SSL certificate plus the GoDaddy certificates. You've uploaded the certificates to Azure, and you've added them to your Visual Studio project.
Publish your new project to Azure. You can test your website's SSL using either of these online tools:
https://www.sslshopper.com/ssl-checker.html
https://www.digicert.com/help
Related
I'm in the process of moving our site to Azure Web App (S1). I might be over thinking this but need to create a temp domain for my team to QA the temp Azure site before I move the prod site to Azure.
I've done the following so far:
1. Create Azure Web App account and deployed site mysite.azurewebsites.net - done
2. Create subdomain stage.mycompany.com - done
3. Create cname #2 and point to #1 - done
Since stage.mycompany.com is temporary (until we move the actual site over), I don't want to purchase an SSL for this.
I thought I could just create an SSL using openssl and install that cert on Azure. I tried that but get "Not secure" in chrome for the cname.
Will this idea work (free SSL for cname azure web app) but I just didn't install the ssl correctly?
I thought I could just create an SSL using openssl and install that
cert on Azure. I tried that but get "Not secure" in chrome for the
cname.
Probably, you have not imported the certificate in your Trusted Root Certification Authorities directory on your machine. You can check configurations on your side as following steps.
If you create a certificate using OpenSSL, you should export the certificate with the private key then upload the certificate .pfx file to the Azure portal. Export certificate to PFX.
Or, you can generate a self-sign certificate with PowerShell.
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "stage.mycompany.com" -FriendlyName "MySiteCert" -NotAfter (Get-Date).AddYears(1)
Export the certificate. Then run MMC, Follow the path to locate the newly generated certificate in your machine. File--- Add\Remove Snap-In---Certificates----add---computer account. Copy the certificate from Personal directory to Trusted Root Certification Authorities directory. Also, you need to export the certificate (.pfx file) with private Key.
On the Azure side, you need to upload and bind the newly generate the self-sign certificate to your websites.
Map your subdomain stage.mycompany.com to your websites. You can select Custom domains in your web app page. Add hostname stage.mycompany.com, refer to this.
Bind your SSL certificate. Click SSL settings in the left navigation of your web app. Upload your newly .pfx certificate, and bind your SSL certificate with SNI-based SSL type.
After that, you can access the website with https://stage.mycompany.com. I test it in my lab with IE and Chrome explore as below:
I am trying to create a new Let's Encrypt SAN certificate using the Certes Library and hosting on a Azure WebRole. Everything has worked previously (many times) but now I am getting a cert error on Android and ssllabs.com shows a certificate chain incomplete error.
The certificate is created without error and I have explicitly set FullChain = true on the PfxBuilder but I am unsure how to check if the full chain is recorded in the certificate correctly without uploading the certificate together with a new deployment (I am not a cert expert).
On the Azure Web role both the created certificate and the required Let's Encrypt Cert (Let's Encrypt Authority X3) are listed in the webrole certificates. I only uploaded the created certificate Azure adds the Let's Encrypt Authority X3 cert itself.
I am unsure whether it is a problem with the certificate not recording the full chain or some configuration setting on the WebRole. When I go to Certificates in the Azure Management console I see the Let's Encrypt Cert but when I rdp into the role and look in the IIS Manager I cannot see the Let's Encrypt Cert under Server Certificates. I also cannot find it when I open the Certificates Management Console (certlm).
I am starting to think it is a problem with the WebRole but I am at a loss on what to check next.
You need to add additional <Certificate> element in your ServiceDefinition and ServiceConfiguration to specify the intermediate certs. See https://blogs.msdn.microsoft.com/azuredevsupport/2010/02/24/how-to-install-a-chained-ssl-certificate/
Edit due to broken link
View your certificate. For each of the intermediate certificate between the root cert and your certificate, export the certificate file.
Upload these certificate to Azure
Add the <Certificate> element. You can get the thumbprint from the Azure portal.
How can I install a certificate into an Azure Web App so that my azure webapp can communicate with a remote service via SSL (this particular certificate is not signed by a public CA)
I generated an ssl certificate with openssl and when I install it to the trusted root certificate authentication store on my local computer the runs fine. However when I upload the cert via the management portal I get errors that the certificate isn't trusted (which is correct) and the correct error for when a certificate is not installed.
How can I install a private SSL certificate into the trusted root certificate store on an azure web app?
Unfortunately, we cannot add a certificate to the trusted certificate authority on an Azure Web App. The security implications would be quite bad if that were possible. More detail info please refer to another SO thread.
But We can use Azure Cloud Service that allowed us to do that. More info please refer to the document.
If we want to install certificates to Personal certificate store , we could upload a .pfx file to the Azure App, and add an App setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. Then the certificates will be installed to the Personal certificate store . More detail please refer to Using Certificates in Azure Websites Applications.
How to obtained an SSL certificate please refer to the official document Secure your app's custom domain with HTTPS.
The easiest way to get an SSL certificate that meets all the requirements is to buy one in the Azure portal directly. This article shows you how to do it manually and then bind it to your custom domain in App Service.
I have a certificate generated by Salesforce with crt extension
I exported it to a .cer file on windows (open it -> Details -> copy to path )
I've installed cer file on IIS Manager
I had an error
Cannot find the certificate request associated with this certificate file
I followed the corresponding KB
Now I know my certificate is installed and I have a Friendly name for it, but it still not appearing in IIS.
How can I make a certificate installed on Windows appear in IIS certificates ?
Edit
More about how I got the certificate. There are two companies, one that work with Salesforce and mine.
We are trying to consume a WCF Service from Salesforce Apec Callout.
We choose Transport security with certificate authentication.
For that purpose salesforce team provide a certificate they created, I don't know how. I didn't provide any private key. I guess it's a certificate without official CA.
I'm trying to install it on server were my WCF service is hosted by IIS.
i am having issue in configuring SSL on cloud app. i do the following steps in sequence
generate create certificate request from VM hosted on azure enviroment
a text file with CSR hash is created.
i send the hash to certificate issuing authority and i upload the new release in
the mean while on cloud
certificate issing authority send me 4 files with crt extension.
i import the .crt file in certificate manager console (certmgr.msc)
export the file in cer format.
update web role properties in VS 2012. add certificate and update endpoints.
upload cer file on cloud
publish the package and update the package on cloud.
update is not completed becasue of
certificate with thumbprint associated with HTTPS input endpoint https does not contain private key
can any one help me out how i configure SSL on cloud app.
regards,
Zeeshan
As Gaurav mentioned, in step 6, you want to export the certificate and include private key. This will generate a .PFX file and ask you to provide a password.
Furthermore, when you have the .PFX file - you will want to take care as to where you upload it to. Make sure that you upload it to Certificates area under the Web Role - the portal should ask you for a password to the .PFX file.
Management Certificates area that expects .CER files is not the right place to upload SSL certificates to. I am guessing it is likely where uploaded the .CER file from step 6
I followed the following step process when I was setting up SSL in Azure using GoDaddy as CA:
Create a Certificate Signing Request (CSR) on the web server (local IIS, not Azure)
Send CSR to CA (Certificate Authority – GoDaddy) and specify alternative domain names (if you've paid for that possibility)
Download certificate from CA
Import certificate to web server (local IIS, not Azure)
Import the intermediate certificates from CA into local computer (where you have IIS)
Export the certificate as PFX file from IIS and give it a password
Import PFX file into Azure together with password
Bind configured domain names to the certificate in Azure
There are a few different ways to create the CSR file. I used IIS Manager on my local developer computer.
You can read an extended version of the list here where all the steps are more thoroughly explained.
Have you checked the requirements for uploading and using certificate on windows azure?
The requirements is:
You need to include a certificate that must have a minumium of 2048 bit in keysize.
The certificate must be exported with Personal Information Exchange.
When creating the cerificate your subject name must match the domain name of you cloud service.
You have to include a private key.