IIS Third Party Certificate Insallation - iis

I have a certificate generated by Salesforce with crt extension
I exported it to a .cer file on windows (open it -> Details -> copy to path )
I've installed cer file on IIS Manager
I had an error
Cannot find the certificate request associated with this certificate file
I followed the corresponding KB
Now I know my certificate is installed and I have a Friendly name for it, but it still not appearing in IIS.
How can I make a certificate installed on Windows appear in IIS certificates ?
Edit
More about how I got the certificate. There are two companies, one that work with Salesforce and mine.
We are trying to consume a WCF Service from Salesforce Apec Callout.
We choose Transport security with certificate authentication.
For that purpose salesforce team provide a certificate they created, I don't know how. I didn't provide any private key. I guess it's a certificate without official CA.
I'm trying to install it on server were my WCF service is hosted by IIS.

Related

SSL certificate in my Azure Web Role is "not trusted"

I have a GoDaddy SSL certificate installed in my Azure web role. It works for most clients, but some clients complain that the certificate is "not trusted". In particular, I have an Azure Scheduler Job wired up to periodically POST to an https endpoint in my web role, but the POST fails. After some investigation, it turns out that the POST fails because the SSL certificate is "not trusted".
The fact that my SSL certificate is not wired up completely correctly is also verified by examining my domain using this tool:
https://www.digicert.com/help
I understand that many clients (web browsers) have the GoDaddy certificate chain (that is, the "intermediate" certificates that get from my SSL certificate to the GoDaddy root CA) baked into them. But some clients (such as the Azure Scheduler) expect my web server to provide not only my SSL certificate but also all of the intermediate certificates up to the root CA.
How do I include the intermediate certificates in my Azure web role?
Note: I am asking this question with the intent of answering it myself (now that I've struggled for a week to figure it out).
Overview of the answer
You need to manually add the intermediate certificates to the Web role "certificates" (in Visual Studio), and you need to upload the intermediate certificates to your Azure Web Role.
Step 1: Convert the p7b file to a pfx for upload to Azure
This step is derived from this article.
Download your certificate files from GoDaddy. That gets you a zip file that contains a crt file and a p7b file. The crt file contains your SSL certificate, but it's not fully baked until you complete the CSR request. See below for details. The p7b file contains the GoDaddy intermediate certificates.
Complete the CSR request using the crt file. See this SO answer for details.
Open the Windows Certificate Manager (certlm.msc)
Import the p7b file into the Local computer/Intermediate Certifcation Authorities/Certificates node.
Export the SSL certificate and its dependencies as a .PFX file. This step works if you export the certificate using Certificate Manager (certlm.msc), but not (as far as I can tell) if you export the certificate using IIS Manager. Find your SSL certificate in the Personal/Certificates node, right-click, and select All tasks.../Export. Tell the wizard to export the private key, and include all certificates in the path and all extended properties.
Step 2: Upload the certificates to the Azure Web Role
Upload the pfx file that you created in the previous step to the Certificates in your Azure Web Role. This will add your SSL certificate and all of the intermediate certificates up to the root CA to your Azure web role.
Step 3: Add the certificates to your Web Role project
This step is loosely derived from this article.
In Visual Studio, navigate to your Web Role (Solution/Azure project/Roles/Your web role), right-click, and select Properties
In the Properties window, select Certificates
Now, you need to manually add a new certificate (actually, you are just adding a new certificate thumbprint) for each intermediate certificate. You can either copy-and-paste the thumbprints from the Azure Portal "Certificates" web page, or (with a little extra work) you can get them directly from the local Windows certificate store.
If you want to get the thumbprints using the built-in "read the certificate from my computer" magic in Visual Studio, you need to first:
Open the Windows Certificate Manager (certlm.msc)
Import the pfx file containing your intermediate certificates into the Personal/Certificates node
Meanwhile, back in Visual Studio, for each intermediate certificate:
Click "Add certificate", then
Enter a meaningful name for the intermediate certificate (the name is for your reference only; it's not used for anything)
Set the Store Name to CA.
Enter the certificate Thumbprint. You can copy-and-paste it from the Web Role/Certificates page in the Azure portal, or, if you've imported the certificates into your personal certificate store (as described above) you can get it by clicking the ellipses in the Thumbprint box and selecting the certificate.
Step 4: Publish and test
Whew. So, now you've converted the p7b and crt files to a pfx file that contains your SSL certificate plus the GoDaddy certificates. You've uploaded the certificates to Azure, and you've added them to your Visual Studio project.
Publish your new project to Azure. You can test your website's SSL using either of these online tools:
https://www.sslshopper.com/ssl-checker.html
https://www.digicert.com/help

Installing certificates to the trusted root certificate store on azure web apps

How can I install a certificate into an Azure Web App so that my azure webapp can communicate with a remote service via SSL (this particular certificate is not signed by a public CA)
I generated an ssl certificate with openssl and when I install it to the trusted root certificate authentication store on my local computer the runs fine. However when I upload the cert via the management portal I get errors that the certificate isn't trusted (which is correct) and the correct error for when a certificate is not installed.
How can I install a private SSL certificate into the trusted root certificate store on an azure web app?
Unfortunately, we cannot add a certificate to the trusted certificate authority on an Azure Web App. The security implications would be quite bad if that were possible. More detail info please refer to another SO thread.
But We can use Azure Cloud Service that allowed us to do that. More info please refer to the document.
If we want to install certificates to Personal certificate store , we could upload a .pfx file to the Azure App, and add an App setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. Then the certificates will be installed to the Personal certificate store . More detail please refer to Using Certificates in Azure Websites Applications.
How to obtained an SSL certificate please refer to the official document Secure your app's custom domain with HTTPS.
 
The easiest way to get an SSL certificate that meets all the requirements is to buy one in the Azure portal directly. This article shows you how to do it manually and then bind it to your custom domain in App Service.

Is it possible to use client certificates in Windows Azure Websites

I am developing a windows service application that will run on customer PC/servers and access a Web API endpoint hosted in an Azure Website. It needs to authenticate the user, and I would prefer not storing credentials on the customer's machine. So, I've landed on client certificates to authenticate the users. I have this working against a local, non-Azure Website IIS instance with self-signed certificates. However, I'm unable to get it working in an Azure Website.
As far as I can tell, there are two issues that I'm not finding much documentation on:
How do I install my own CA certificate in the Trusted Root of the Website instance(s)? Or will this only work with CA certificates that are already trusted?
How do I enable "Accept Client Certificates" for this application? In IIS you do this under "SSL Settings". Documentation indicates that modifying the system.webServer/security/access node of app.config will accomplish this, but obviously you can't do that in Websites. Documentation for websites suggests this node is unlocked for use in web.config, however adding that node results in an error "The page cannot be displayed because an internal server error has occurred.", even if custom errors is off.
For Azure web sites vs web roles client authentication options are rather limited. Websites don't let you run programs with elevated permissions, which is required for making IIS changes and storing certificates into the trusted root.
There's a way to configure you website to always (you don't get the benefit of making it optional as with IIS 'Accept' configuration) request client certificate. This feature is currently only available through Azure management REST API, you can't access it through the portal UI. You can find more information here.
Essentially you turn on clientCertEnabled website setting to true. The mechanics of this option are different from traditional client authentication where server needs to have a CA certificate with which the client cert is signed in its trusted root. The server doesn't run any validation on the client certificate, the application needs to run the cert check itself, which comes in a request header "X-ARR-ClientCert". GetClientCertificate() extension method on HttpRequestMessage will parse it automatically.
Alternatively, you can host your Web API as a web role. That gives access to running startup tasks with elevated permissions that allows access to trusted root and making IIS configurations, more details/examples here. You can either copy the CA certificate to the app folder or upload to the user store via Azure portal so that it is available for copying over to the trusted root in a startup task. IIS changes can be made via “Microsoft.Web.Administration” library available as NuGet package through ServerManager class.
For question 2, here's a blog post on how to install client certificates on Azure Websites: http://azure.microsoft.com/blog/2014/10/27/using-certificates-in-azure-websites-applications/
For question 1, you can't install your own CA certs as trusted root certificates, but if you have certs from a CA that's already trusted then you can use them without any issues.

Installing SSL for third party web service communication from Azure

Apologies for what is probably a question about a simple task but I'm brand new to Azure and a little worried I get this wrong. Actually, I have a new client and don't even have the access yet to their Azure yet have a proper look. The question is:
My new client has an existing MVC application running on IIS within Azure. This application must communicate with a third party SOAP (.asmx) web service that requires parts of the SOAP message to be signed using an SSL digital certificate.
So, I need to install the certificate on Azure. My problem is that the articles I have found deal with securing the website using the certificate and Https - which I don't want.
Can someone please point me to a good article (or show here if simple enough) that shows how to install it for the purpose of communicating with this third party service?
Any help is really appreciated here so that I can hit the ground running.
The approach for installing any certificate is the same. So you would use the same approach as you would for installing SSL certificate. So the steps would be:
Upload the certificate first in the cloud services certificate section. Note down the certificate thumbprint.
In Visual Studio, open up your role's properties and go to "Certificates" tab and specify that certificate thumbprint along with the certificate store location where you want this certificate to be installed.

Configure SSL on Windows Azure

i am having issue in configuring SSL on cloud app. i do the following steps in sequence
generate create certificate request from VM hosted on azure enviroment
a text file with CSR hash is created.
i send the hash to certificate issuing authority and i upload the new release in
the mean while on cloud
certificate issing authority send me 4 files with crt extension.
i import the .crt file in certificate manager console (certmgr.msc)
export the file in cer format.
update web role properties in VS 2012. add certificate and update endpoints.
upload cer file on cloud
publish the package and update the package on cloud.
update is not completed becasue of
certificate with thumbprint associated with HTTPS input endpoint https does not contain private key
can any one help me out how i configure SSL on cloud app.
regards,
Zeeshan
As Gaurav mentioned, in step 6, you want to export the certificate and include private key. This will generate a .PFX file and ask you to provide a password.
Furthermore, when you have the .PFX file - you will want to take care as to where you upload it to. Make sure that you upload it to Certificates area under the Web Role - the portal should ask you for a password to the .PFX file.
Management Certificates area that expects .CER files is not the right place to upload SSL certificates to. I am guessing it is likely where uploaded the .CER file from step 6
I followed the following step process when I was setting up SSL in Azure using GoDaddy as CA:
Create a Certificate Signing Request (CSR) on the web server (local IIS, not Azure)
Send CSR to CA (Certificate Authority – GoDaddy) and specify alternative domain names (if you've paid for that possibility)
Download certificate from CA
Import certificate to web server (local IIS, not Azure)
Import the intermediate certificates from CA into local computer (where you have IIS)
Export the certificate as PFX file from IIS and give it a password
Import PFX file into Azure together with password
Bind configured domain names to the certificate in Azure
There are a few different ways to create the CSR file. I used IIS Manager on my local developer computer.
You can read an extended version of the list here where all the steps are more thoroughly explained.
Have you checked the requirements for uploading and using certificate on windows azure?
The requirements is:
You need to include a certificate that must have a minumium of 2048 bit in keysize.
The certificate must be exported with Personal Information Exchange.
When creating the cerificate your subject name must match the domain name of you cloud service.
You have to include a private key.

Resources