Setting up SSL for Azure WebApp - security

I'm trying to set up SSL for my Azure WebApp via Network Solution's SSL Service. The doubt I'm facing is, Azure asks for a SSL Certification in (.pfx) format (pic given below) and I do not have any sort of certificate with me right now.
However, Network Solution console allows me to attach SSL to my existing Domain. Pic given below:
My question is, do I go ahead with the Network Solutions based SSL Attachment solution or upload the *.pfx file Azure is asking for in the Management Console? I'm very confused. Thank you for taking the time!

Follow Brij's link to generate a valid pfx file, then
For a WebApp, go to the Azure Portal, browse to your WebApp >> Settings > > Custom domains and SSL >> Upload Certificate and complete the process to use your certificate. Set the domain to use the certificate you uploaded.

Related

SSL certificate in my Azure Web Role is "not trusted"

I have a GoDaddy SSL certificate installed in my Azure web role. It works for most clients, but some clients complain that the certificate is "not trusted". In particular, I have an Azure Scheduler Job wired up to periodically POST to an https endpoint in my web role, but the POST fails. After some investigation, it turns out that the POST fails because the SSL certificate is "not trusted".
The fact that my SSL certificate is not wired up completely correctly is also verified by examining my domain using this tool:
https://www.digicert.com/help
I understand that many clients (web browsers) have the GoDaddy certificate chain (that is, the "intermediate" certificates that get from my SSL certificate to the GoDaddy root CA) baked into them. But some clients (such as the Azure Scheduler) expect my web server to provide not only my SSL certificate but also all of the intermediate certificates up to the root CA.
How do I include the intermediate certificates in my Azure web role?
Note: I am asking this question with the intent of answering it myself (now that I've struggled for a week to figure it out).
Overview of the answer
You need to manually add the intermediate certificates to the Web role "certificates" (in Visual Studio), and you need to upload the intermediate certificates to your Azure Web Role.
Step 1: Convert the p7b file to a pfx for upload to Azure
This step is derived from this article.
Download your certificate files from GoDaddy. That gets you a zip file that contains a crt file and a p7b file. The crt file contains your SSL certificate, but it's not fully baked until you complete the CSR request. See below for details. The p7b file contains the GoDaddy intermediate certificates.
Complete the CSR request using the crt file. See this SO answer for details.
Open the Windows Certificate Manager (certlm.msc)
Import the p7b file into the Local computer/Intermediate Certifcation Authorities/Certificates node.
Export the SSL certificate and its dependencies as a .PFX file. This step works if you export the certificate using Certificate Manager (certlm.msc), but not (as far as I can tell) if you export the certificate using IIS Manager. Find your SSL certificate in the Personal/Certificates node, right-click, and select All tasks.../Export. Tell the wizard to export the private key, and include all certificates in the path and all extended properties.
Step 2: Upload the certificates to the Azure Web Role
Upload the pfx file that you created in the previous step to the Certificates in your Azure Web Role. This will add your SSL certificate and all of the intermediate certificates up to the root CA to your Azure web role.
Step 3: Add the certificates to your Web Role project
This step is loosely derived from this article.
In Visual Studio, navigate to your Web Role (Solution/Azure project/Roles/Your web role), right-click, and select Properties
In the Properties window, select Certificates
Now, you need to manually add a new certificate (actually, you are just adding a new certificate thumbprint) for each intermediate certificate. You can either copy-and-paste the thumbprints from the Azure Portal "Certificates" web page, or (with a little extra work) you can get them directly from the local Windows certificate store.
If you want to get the thumbprints using the built-in "read the certificate from my computer" magic in Visual Studio, you need to first:
Open the Windows Certificate Manager (certlm.msc)
Import the pfx file containing your intermediate certificates into the Personal/Certificates node
Meanwhile, back in Visual Studio, for each intermediate certificate:
Click "Add certificate", then
Enter a meaningful name for the intermediate certificate (the name is for your reference only; it's not used for anything)
Set the Store Name to CA.
Enter the certificate Thumbprint. You can copy-and-paste it from the Web Role/Certificates page in the Azure portal, or, if you've imported the certificates into your personal certificate store (as described above) you can get it by clicking the ellipses in the Thumbprint box and selecting the certificate.
Step 4: Publish and test
Whew. So, now you've converted the p7b and crt files to a pfx file that contains your SSL certificate plus the GoDaddy certificates. You've uploaded the certificates to Azure, and you've added them to your Visual Studio project.
Publish your new project to Azure. You can test your website's SSL using either of these online tools:
https://www.sslshopper.com/ssl-checker.html
https://www.digicert.com/help

SSL for redirected domain to Azure app service

Hello I have created one app for Azure app service test.
Let us say myapp.azurewebsites.net
I thought this is big to recall so I own my domain. Say www.xyzdomain.com
I purchased one SSL from Azure portal and bind with www.xyzdomain.com
So https://www.xyzdomain.com working.
Now my client want to use this app with some custom domain.
I did redirection to www.xyzdomain.com
Now his domain is
Let us say www.hiscustomdomain.com
So how should I proceed with this as they need SSL to secure like https://www.hiscustomdomain.com
He is asking me to raise CSR. I am using app service from Azure portal. Their is no VM.
Sorry for typo.
Thanks
Regards
Kunal
You don't need access to the server to be able to generate a CSR. You can use any computer including your own workstation. See the link below for detailed instructions to create and complete a Certificate Signing Request.
https://www.digicert.com/csr-creation-ssl-installation-iis-10.htm
Once you complete the request, export the certificate from the computer you used to generate the CSR as .pfx format, upload and bind it to you Azure Web App.
https://learn.microsoft.com/en-us/azure/app-service-web/app-service-web-tutorial-custom-ssl

Wildcard SSL Certificates Across Multiple Websites on Windows Azure

I have a question about Azure-hosted websites and wildcard certificates.
I’m able to install my wildcard certificate to a website and then add multiple SSL bindings without issue.
But when I try to add that same certificate to another website, I get an error message about the certificate thumbprint.
Is there a centralized location where I can add the SSL certificate so that I can use the wildcard cert for multiple, individual websites?
I would like to report that this appears to just be a propagation issue on the side of Azure, and the issue has resolved itself.
Some more information in case others would run into this issue-
After I added the certificate using the new Azure interface (portal.azure.com) to a Website, the SSL certificate did not appear in the "Certificates" list, though it did successfully accept the SSL bindings that were added. Navigating to a different Website, I attempted to add the certificate again, which failed.
After 10 minutes, I now see that the "Certificates" list is populated on all Websites on the account. When you upload a certificate to one Website, it does become global for the account and is accessible on other parts of the Azure portal.
I am attributing this solely to a propagation delay... otherwise, all appears to work normally.
Hope this helps someone.

Can Azure generate a certificate at the cloud side?

During the development, we didn't get the domain binding for our application, so we just use the Azure URL, something like this: xxx.cloudapp.net.
Because we would like our website use HTTPS protocol, we need to use a certificate, just follow the MSDN, we generated the self-signed pfx file using IIS Manager. Before we publish our application to cloud, we upload the pfx file to cloud by the portal page.
So my question is, is above the only way for this situation? Which I means, I need to upload the certificate to cloud manually first, then publish the application? Is there a way I don't need to to this, something like I even not rely on IIS Manager, the cloud can generate a certificate?
Simple answer to your question is No, Azure can't create a certificate for you. But you could do the same.
To elaborate further, let me explain you what's happening behind the scenes. So you have uploaded the PFX certificate in the portal and in your application configuration screen you have specified the thuumbprint of that certificate. When Azure Fabric Controller spins of the VM, it checks for this certificate thumbprint and based on that it fetches the certificate you uploaded previously and installs that certificate. Furthermore it makes changes to the IIS settings does the SSL magic. Now if you want (not sure why) but you could do the same. If we take just development environment, what you could do is write a startup task which would first create a certificate using makecert utility. Then you would write some IIS scripts which will do the SSL magic for IIS.
Yet another thing you could do is automate the deployment of your code using Azure PowerShell Cmdlets. As a part of deployment automation, 1st thing you would do is upload the SSL certificate using Add-AzureCertificate and then create a deployment of your service using New-AzureDeployment.

ID1024 The configuration property value is not valid error in Azure WebSite

I am trying to consume the certificate uploaded in azure website(not webrole) in my web app using following config
<microsoft.identityModel>
<!-- Service Configuration -->
<service>
<serviceCertificate>
<certificateReference findValue="2696C50B72CB368AEB11DE3B23CD226252A1BFD" storeLocation="CurrentUser" storeName="My" x509FindType="FindByThumbprint"/>
</serviceCertificate>
<certificateValidation certificateValidationMode="None"/>
</service>
Code works fine on local system. But I am recieving error when deployed to azure website.
ID1024 The configuration property value is not valid
ID1025 Cannot find a unique certificate that matches the criteria
I then tried to browse all the certificates in my azure website(using code). But the certificate list does not contain my uploaded certificate.
Certificate is uploaded and can be seen in azure portal.
Custom domain is mapped and the uploaded certficiate is used against the domain.
But somehow my web app is unable to find the certificate. I tried all possible combination of StoreName and StoreLocation but in vain.
I think there may be some confusion on what the certificates you upload via the Configure tab for Websites are used for. Currently the certificates loaded there are ONLY used for SSL.
When looking at the little help icon next to the certificates section on the configure tab the tooltip states the following:
"This section lets you manage SSL certificates that you can bind to your custom domain names. Binding an SSL certificate to your custom domain name will allow your end users to access your site over HTTPS."
Windows Azure Web Sites exist at a process level, meaning that they can be started up on one machine but move around as the processes go up and down. If you aren't familiar with this I'd suggest reading up on how the hosting model works for Web Sites. Here is an article that covers it: Windows Azure Web Sites - A New Hosting Model for Windows Azure (full disclosure: I wrote the article).
Loading the certificate here I do not believe adds the certificate to any of the stores on the machines your web site runs on. Windows Azure would need to ensure that the cert is always on the machine the site is deployed to and since this is only at a process level and can change frequently (unless you are using standard) it doesn't make sense. The SSL certs are handled differently and as far as I know aren't really deployed to each machine.
As far as I know in order for you to load a certificate and use it you'll either need to look at a web role where loaded certs from the portal ARE placed into the store on the VM or look to see if you can load the certificate manually in code and ship the cert as content on your site (which seems a little less secure to me). I could just be overlooking an option though.

Resources