The certificate could not be deleted from cloud service XXX - azure

I'm trying to remove a certificate (via the Management Portal) that is due to expire on 16/07/2014 days and I'm getting this error:
The certificate I'm trying to delete was automatically generated 'CN=Windows Azure Tools' and was used for Remote Access.
I also tried to configure the cloud services to use new certificates, but still no success.
Looked at Fiddlers log and indeed there in an internal server error:
My questions are:
Is there any way I can delete this certificate?
If I can't delete it, what happens when it expires?
What I really want to avoid is to have to redeploy the production services because of this certificate.

Florin, you cannot delete a certificate in production use, but you have two options for this issue:
The easiest option is to just ignore it. The RDP cert is only used for password encryption and it doesn't matter if the cert is expired or not since Azure does not check the expiration date when doing the encryption/decryption.
You can upload a new certificate and then modify the RDP configuration to use that new certificate. After this you can delete the old certificate. This is essentially the same process you would use for an HTTPS certificate.

Related

Azure Cloud Service unable to find Certificate from local machine

Our APIs are exposed through Azure Cloud Services (Web Role). We use certificate uploaded to Cloud Service for encryption of data stored in backend. During certificate rotation, We uploaded new certificate by updating *.CSCFG file
Our CSCFG
<Certificate name="encryptcertificatethumbprint" thumbprint="NewThumbprint" thumbprintAlgorithm="sha1" />
When we login into Portal > Cloud Service > Certificates Tab. We could see both Old Certificate and New certificate.
Unfortunately some of the records in backend system are not re-encrypted with new rotated certificate. When our App reads data from backend system, it fails to decrypt with message "The secret could not be decrypted. Check that certificate with serial number 'XXXXX-XXX' is installed. The inner cryptographic exception: 'Keyset does not exist" since old certificate is not present in webrole instance.
Instead of doing another deployment with both certificates, we remote into web role instance and installed old certificate under Personal > Certificate
After installing old certificate, Application still unable to find certificate by thumbprint in Local Machine certificate store. We tried restarting webrole, still application unable to pick certificate.
Few Questions, can anyone help (without any deployment to address this issue)
What will be certificate location on webrole instance, where we can upload certificate. Our logic of certificate search based on Serial number in LocalMachine and then also Current User. Though we uploaded certificate in LocalMachine, Still webrole unable to pickup certificate
What will be Current User certificate store i.e. what will be account on which webrole runs
If the certificate gets expired, will certificate be returned ?
I haven't tried to accomplish your specific goal, but this information may help get you closer.
The Azure guest agent installs certificates as the system account in the CurrentUser store, so any interactions you want to do with those certs will need to be as the system account. To do this you can download Sysinternals Suite and run psexec to launch a cmd prompt under System context. Then in that new cmd prompt you can run certutil, mmc.exe, etc:
psexec -i -d -s cmd
certutil -store -user My
You should be aware that whatever you do (ie. installing a new certificate) will be temporary.
See https://learn.microsoft.com/en-us/archive/blogs/kwill/windows-azure-disk-partition-preservation for information about when the Windows partition (D drive) will be rebuilt, meaning you will lose your manually installed certificates.
Unexpected role recycles (ie. WaHostBootstrapper exits or WaIISHost/WaWorkerHost crashes) will cause the guest agent to uninstall and then reinstall all certificates.
Issue got resolved. After giving permission to "Network Service".
Right Click on Certificate > All Task > Manage Private Key > Add Network Service Account to get access to certificate.

Azure SSL certificate not syncing after rekey operation

I have an app service certificate and noticed that some macOS and iOS browsers are not trusting it anymore (as per the advisory Microsoft sent on April). I proceeded to rekey and sync the certificate. Rekey was successful, I can see a new certificate thumbprint, however when I click "Sync" button, I still see "Linked private certificates are out of sync" message, and the linked certs have the old thumbprint. I tried deleting the certificate from the app service and reimporting it from keyvault manually with no luck. I have waited about 10 hours so far, and heard that there was a 48 hour wait time for the automated job to sync the certs. Just wondering why the manual sync is not working and how I can force it.
Syncing of certificates after rekeying is automatic for Azure. However, the manual process takes a minimum of 24hrs before syncing. Furthermore, when you try to delete a certificate, you receive the following error message:
"Unable to delete the certificate because it is currently being used in a TLS/SSL binding. The TLS binding must be removed before you can delete the certificate."
Cause
This problem might occur if another app uses the certificate.
Solution
Remove the TLS binding for that certificate from the apps. Then try to delete the certificate. If you still can't delete the certificate, clear the internet browser cache and reopen the Azure portal in a new browser window. Then try to delete the certificate.
You can read this Microsoft Doc

Can't deploy to secured Service Fabric cluster from VS

I've created a secured SF cluster from the portal, but I can't connect to the explorer from the browser or deploy my app from VS. I have the cluster certificate (the one it makes you create on a Key Vault when you first deploy the cluster) installed on my machine. I got the .pfx file from the Key Vault and installed it on my Windows machine both with double click/wizard and with Powershell Import-PfxCertificate cmdlet.
Still after that, VS says Failed to contact the server. Please try again later or get help from "How to configure secure connections"
I tried added an client "admin" certificate, but it only asks me for the Thumbprint or the subject name, where I put the ones from the previously created cluster certificate. I don't really know if I need to buy a client certificate to make it work, or where do I get it?
And as I said, I can't access to the explorer using the browser either. Any ideas?
Here some screenshots:
This error message might be:
- The certificate issuer authority is not trusted
- because the certificate you installed is not valid or does not target the domain you are trying to access.
if the certificate issuer is not trusted, you might have to:
Trust then, please see this link
Or, get a new certificate from a trusted and execute the steps below
If the certificate is invalid, or misconfigured:
The message is chrome telling you that the certificate is not valid, and you can proceed on your own risk. You should be okay if you click Proceed to xyz.dev.eastus.cloudapp.com.
To deploy applications from Visual Studio to the cluster, you have to install the PFX certificate in the machine, and add the thumbprint to the publish profile file. See more in this link
How to make it work:
Register the domain you want, here I will say as www.example.com
Register the CNAME record on your DNS provider pointing to your Service Fabric default domain likexyz.dev.eastus..cloudapp.com.
Get a PFX certificate from a trusted authority, or your own self-signed certificate if it is for internal use only.
Add the certificate to key vault
Configure the VMSS to use the certificates from key vault
Update your cluster configuration with your certificate thumbprint
This link and this link provides the documentation on how to setup the cluster certificates.
And the following link has a detailed explanation how setup applications:
https://ronaldwildenberg.com/custom-domain-name-and-certificate-for-your-azure-service-fabric-cluster/
If you just want to create secure cluster for Dev and Test purposes, you could just create from the portal and let azure generate the correct certificate for you. For production workloads, you should create your certificates, Please take a look at this link for more info.

Wildcard SSL Certificates Across Multiple Websites on Windows Azure

I have a question about Azure-hosted websites and wildcard certificates.
I’m able to install my wildcard certificate to a website and then add multiple SSL bindings without issue.
But when I try to add that same certificate to another website, I get an error message about the certificate thumbprint.
Is there a centralized location where I can add the SSL certificate so that I can use the wildcard cert for multiple, individual websites?
I would like to report that this appears to just be a propagation issue on the side of Azure, and the issue has resolved itself.
Some more information in case others would run into this issue-
After I added the certificate using the new Azure interface (portal.azure.com) to a Website, the SSL certificate did not appear in the "Certificates" list, though it did successfully accept the SSL bindings that were added. Navigating to a different Website, I attempted to add the certificate again, which failed.
After 10 minutes, I now see that the "Certificates" list is populated on all Websites on the account. When you upload a certificate to one Website, it does become global for the account and is accessible on other parts of the Azure portal.
I am attributing this solely to a propagation delay... otherwise, all appears to work normally.
Hope this helps someone.

How to renew SSL certificate on an Azure Cloud Service?

I have a cloud service SAAS application that is running on Azure using https which SSL certificate is expiring soon. I've recently obtained a new SSL certificate that I need to apply to before the expiration date.
Looking up on the web, all I found are articles about how to setup SSL certificate for Azure Cloud Service (i.e. http://www.windowsazure.com/en-us/develop/net/common-tasks/enable-ssl/) and non regarding the renewal process. At this point, I'm thinking it's the same process.
In order to avoid unnecessary issue, I'm looking for confirmation from someone else that might have already done this before and perhaps some pointers on other things that I need to be aware of.
1)You upload the certificate to the Service Certificates section on the Windows Azure Portal - just as you did originally.
2) You modify the Service Configuration file to provide the thumbprint of the new certificate instead of the old one. This causes the certificate to be deployed to each instance.
3) You do an in-place upgrade or (use a VIP Swap) which causes IIS to start using the new certificate.
First you upload the new certificate using the Management Portal - go to Certificates tab of your cloud service.
Then if you believe in in-place reconfiguration (which I don't recommend for this scenario) you can go to Configure tab, scroll down to Certificates, change the thumbprint (you can get it from the Certificates tab) and click Save. Just don't forget to update your .cscfg files so that you have the changes preserved when you redeploy.
If you don't believe in in-place reconfiguration you'll have to change your .cscfg files and deploy your service into staging with the updated .cscfg and then do VIP swap and delete the previous deployment. This is what I recommend for this scenario because should anything go wrong with in-place reconfiguration you can experience service downtime.

Resources