Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
I have an Azure Web Site running successfully for the last year over SSL. The certificate is expiring, so I purchased a renewal. The steps I followed were:
use IIS to create the CSR
download the PKCS7 package (which includes intermediate certificates) from GeoTrust
complete the certificate request in IIS
use the certmgr MMC snap-in to export the PFX file with a private key and including all intermediate certificates and extended properties
upload to Azure
I am getting an error from Azure on step 5 - "Could not upload the certificate for web site XYZ." And the expanded error detail is "At least one certificate is not valid (Certificate failed validation because it could not be loaded.)"
Update: Azure support notified me on 2014/07/07 that the issue described below has been fixed.
I contacted Azure support and they confirmed that this is a known issue with the service. According to the tech I spoke to, a fix should be deployed some time next week.
In the meantime, I was provided with the following workaround:
While exporting the certificate, uncheck the following boxes:
Include all certificates in the certificate path if possible
Export all extended properties
Having just received the error as described (with a COMODO wildcard certificate) I tried NOT including the intermediate certificates when exporting the .pfx cert file and -- low and behold -- Azure accepts the certificate upload.
This goes contrary to the Azure docs, but initial testing of the https URL in Firefox, IE and Chrome doesn't show any problems.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
How can I attach a certificate for the backend HTTP setting via DevOps Repo. The certificate is in my PC. Not much familiar with this coding logic.
Please help me
How can I attach a certificate for the backend HTTP setting via DevOps Repo. The certificate is in my PC
To achieve this, you could submit your certificate to the Secure files in the Azure Devops Library:
Secure files:
Use the Secure Files library to store files such as signing
certificates, Apple Provisioning Profiles, Android Keystore files, and
SSH keys on the server without having to commit them to your source
repository. Secure files are defined and managed in the Library tab in
Azure Pipelines.
Then we could use the Download Secure File task in a pipeline to download a secure file to the agent machine.
Next, we could use powershell scripts to attach a certificate for the backend HTTP:
Configure end to end TLS by using Application Gateway with PowerShell
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 years ago.
Improve this question
This is more a theoretical question than a practical one.
I have four different App Services in Azure (each one for dev, tst, acc and prd), and I want to secure them with SSL.
So, in the portal Azure, I select one of the endpoints something-dev.azurewebsites.net and I go to SSL Certificates (I uploaded a certificate there already). Then when I click to add a SSL Binding, a Hostname is required.
I can create a hostname by using the Custom Domains option. But this will imply in some costs and extra work. It's not expansive, and the amount of work is not a lot, but what I'm wondering is:
If I can access already my App Service by using its endpoint (something-dev.azurewebsites.net), why can't I just add SSL binding to this endpoint directly? Why do I need a Custom Domain for it?
I might be lacking some knowledge about SSL, so I'd really appreciate an explanation. Thanks.
You can use the .azurewebsites.net endpoint with SSL directly already (out of the box). The reason not to do this for production, however, is that that particular domain is not owned by you, it's shared amongst every other web app running on Azure. So it's usually fine for dev/test environments and proving that your site works on https: ok, but when going to production you should really use your own custom domain - the settings you're referring to are leading you down that path, so you can then import the corresponding certificate.
From the relevant app services Azure documentation
To secure with HTTPS an app that has a custom domain name, you add a certificate for that domain name. By default, Azure secures the *.azurewebsites.net wildcard domain with a single SSL certificate, so your clients can already access your app at https://.azurewebsites.net. But if you want to use a custom domain, like contoso.com, www.contoso.com, and *.contoso.com, the default certificate can't secure that. Furthermore, like all wildcard certificates, the default certificate is not as secure as using a custom domain and a certificate for that custom domain.
Because you don't own that domain name! instead, its owned by "azurewebsites.net". The domain your using is simply a sub-domain which you have NO control over. So, if you want an SSL certificate you must lease a domain from a registrar.
Actually, you don't need a custom domain to use your own certificate. As I commented above, I had forgotten how to do it. But I've remembered now.
In your web app service settings menu go to Application Settings.
Scroll down to app settings.
In the Key box type "WEBSITE_LOAD_CERTIFICATES"
In the Value box type the thumbprint of your custom SSL certificate.
Edit: Don't forget to actually upload the SSL cert.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 3 years ago.
Improve this question
I am using windows Azure virtual machine where I have hosted one nodejs application with the help of IIS.
The nodejs app is running fine but it runs with 'HTTP' and I want to use 'HTTPS'.
So, the case is that it currently runs on http://example.azurecloud.net and I want to make it https://example.azurecloud.net
In order to install ssl, I have installed AD CS (Active Directory Certification Service) on my windows AZURE machine and tried to create certificate but when I try to create a certificate with that service, it asks like "Specify online certification Authority" and there is option to select certification authority which is disabled for me and I am not able to create certificate.
So my questions are
1] Why I am not able to get any online certification authority list ?
2] Is it possible to obtain SSL certificates for free ? If yes then how ?
It depends what kind of SSL certificate you need. If you need a widely trusted one, mscdex and Lex Li have given you some suggestions where to get one. Simply search for "free SSL certificates".
For your purpose you do not need a certificate authority like AD CS. That would be to much work for just one certificate, that's not widely trusted.
If you do not need a widely trusted one you can create a certificate on your own. With Windows 2012 R2 and newer you have a PowerShell command called New-SelfSignedCertificate.
Example:
New-SelfSignedCertificate -DnsName example.azurecloud.net -CertStoreLocation cert:\LocalMachine\My
After that you can select in IIS the new certificate in the web site's bindings:
I have a question about Azure-hosted websites and wildcard certificates.
I’m able to install my wildcard certificate to a website and then add multiple SSL bindings without issue.
But when I try to add that same certificate to another website, I get an error message about the certificate thumbprint.
Is there a centralized location where I can add the SSL certificate so that I can use the wildcard cert for multiple, individual websites?
I would like to report that this appears to just be a propagation issue on the side of Azure, and the issue has resolved itself.
Some more information in case others would run into this issue-
After I added the certificate using the new Azure interface (portal.azure.com) to a Website, the SSL certificate did not appear in the "Certificates" list, though it did successfully accept the SSL bindings that were added. Navigating to a different Website, I attempted to add the certificate again, which failed.
After 10 minutes, I now see that the "Certificates" list is populated on all Websites on the account. When you upload a certificate to one Website, it does become global for the account and is accessible on other parts of the Azure portal.
I am attributing this solely to a propagation delay... otherwise, all appears to work normally.
Hope this helps someone.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I have been using the new Windows Azure Websites preview to build a site for a customer. I recently deployed this site, and moved it to a reserved instance so that I could configure a custom domain for the site as required by the customer. So far so good.
My next step is to secure the site using an SSL certificate. I have searched long and hard on the azure website (as well as stackoverflow) but have not been able to locate any information on how to configure an SSL cert for a reserved website instance.
I have seen many examples of doing this with a web role (cloud service) but not for a reserved website.
Does anyone know if this is currently possible? Or is this perhaps one of the reasons why azure websites are still in a preview mode?
Update: Found a post on the Azure Forum indicating that this is not possible in the current release, but is coming soon in a future release. http://social.msdn.microsoft.com/Forums/en-US/windowsazurewebsitespreview/thread/4bf975e7-56c0-4a4d-bb6a-b9b82f0da469
I did a quick google and found this link. It has some useful information.
Thanks to #twomm here is a TLDR of the situation:
just to keep everybody from clicking through, this is the current state there: "We are shooting for April or May for this feature"
As of 3, June 2013 Azure Web Sites now supports SSL for custom domains for reserved web sites according to Azure Pricing Details Page.
Two type of SSL connections are supported.
1 - Server Name Indication (SNI) SSL connections which works on modern browsers.
2 - IP-based SSL which works on all browsers.
Currently Azure supports shared SSL certificate only. Custom SSL certificates aren't supported yet, however Microsoft is planning to introduce them very soon.
With shared security you can access the same https site with https.
I see that this post and the answers are from a couple years ago. Now that it is possible to add an SSL certificate to Azure for a custom domain, I thought it would be useful to post a full solution here.
The MSDN blog post that I have followed to install a GoDaddy certificate on Windows Azure site is Avkash Chauhan's Complete Solution: Adding SSL Certificate with Windows Azure Application . He doesn't detail the Certificate Authority part, but I added steps below referring to how it is done on GoDaddy. His blog and another he links to have great detail about the whole rest of the process. My summary of all the steps is:
Purchase your SSL credit at GoDaddy
Use the credit to create or renew your SSL Certificate on GoDaddy. As part of the creation process, GoDaddy will ask you for your Certificate Signing Request (CSR). The CSR should be created on your LOCAL IIS server, as follows
In your local IIS 7 Manager, go to Server Certificates and choose Create Certificate Request... on the right. This is where you specify your domain name and details, including the encryption strength. Choose 2048-bit or higher. And RSA as the Cryptographic Provider
Once the CSR file is created, paste the contents into the GoDaddy creation form. It will take 5 to 10 minutes for the certificate creation to complete.
Download the certificate as a .zip file and save to your computer
Go to IIS 7 Manager again and choose Complete Certificate Request... It will ask you to browse to a *.cer file. Actually, you should use the . filter and browse to the *.crt file that was in your .zip file. Give it a friendly name like MyDomainSSL2015
Now that the certificate is created, highlight it and choose Export to export it to a .pfx file. At this point you will also give the exported file a password.
(The next few steps come from another MSDN post by William Bellamy, linked to in the other post I referenced) Log in to Windows Azure, go to Manage the service where you want to install the certificate, and choose Certificates tab
Click "Upload" at the bottom. It will ask you to browse to your .pfx file and enter the password that you created
Now that your certificate is uploaded to Azure, you still must specify that you want your Role to use it. This can be done in Visual Studio. So open your Visual Studio project
Right click on your role and choose Properties. Go to the Certificates tab
Click Add Certificate. A new line will be created in the grid. Make sure that LocalMachine is selected for the Store Location and CA for Store Name (though My seems to work too).
Click the ellipses in the Thumbprint column. This will show you a list of all your local certificates. Choose the one with the Friendly Name that you created earlier
Go to the Endpoints tab. For your HTTPS Endpoint, choose the SSL Certificate Name that you just added.
Publish your role
That's it. Again, the two blogs I referenced have some more detail and some screen shots, though some of the screen shots are outdated.