Installing SSL for third party web service communication from Azure - azure

Apologies for what is probably a question about a simple task but I'm brand new to Azure and a little worried I get this wrong. Actually, I have a new client and don't even have the access yet to their Azure yet have a proper look. The question is:
My new client has an existing MVC application running on IIS within Azure. This application must communicate with a third party SOAP (.asmx) web service that requires parts of the SOAP message to be signed using an SSL digital certificate.
So, I need to install the certificate on Azure. My problem is that the articles I have found deal with securing the website using the certificate and Https - which I don't want.
Can someone please point me to a good article (or show here if simple enough) that shows how to install it for the purpose of communicating with this third party service?
Any help is really appreciated here so that I can hit the ground running.

The approach for installing any certificate is the same. So you would use the same approach as you would for installing SSL certificate. So the steps would be:
Upload the certificate first in the cloud services certificate section. Note down the certificate thumbprint.
In Visual Studio, open up your role's properties and go to "Certificates" tab and specify that certificate thumbprint along with the certificate store location where you want this certificate to be installed.

Related

How to ensure Linked CA Trust Chain / Should or Can I install Intermediate CA on Azure WebApp?

I have a [major corporate] client who are about to change the SSL certificates that they use with their API services.
I have an application with APIs that consume those of our client (server to server, not browser to server).
Our client has issued a Linked CA certificate to 3rd parties (such as my company). We have been instructed to install the supplied certificate onto our servers.
I have been tasked to prove that our own service will continue to work after their change. I believe that I may need to be able to demonstrate the chain of trust.
The supplied Linked CA is "DigiCert Global CA G2".
Our own APIs are hosted on an Azure API/WebApp.
I do not believe that we should even be considering installing Linked CA's on Azure app services. I suspect that MS manage this entirely as part of the platform.
I have raised this question as a helpdesk ticket with Azure support, but after a few false-starts explaining the issue, the advise we have now received is a reference to this article https://azure.microsoft.com/en-us/blog/enabling-client-certificate-authentication-for-an-azure-web-app/. With genuine respect to MS helpdesk, I don't believe that this addresses my issue.
To clarify, I am explicitly not talking about installing an SSL certificate on our own systems.
Our client has not yet started using their replacement SSL certs ... so I'm unclear how I might go about positively proving that the replacement SSL certs will work, without having visibility of them in advance.
To distill my question into two parts:
"is what I've been tasked to do even possible without visibility of the subject SSL?".
"should I be contemplating installing a Linked CA onto an Azure App service? (and if so, how)".

Is it possible to use client certificates in Windows Azure Websites

I am developing a windows service application that will run on customer PC/servers and access a Web API endpoint hosted in an Azure Website. It needs to authenticate the user, and I would prefer not storing credentials on the customer's machine. So, I've landed on client certificates to authenticate the users. I have this working against a local, non-Azure Website IIS instance with self-signed certificates. However, I'm unable to get it working in an Azure Website.
As far as I can tell, there are two issues that I'm not finding much documentation on:
How do I install my own CA certificate in the Trusted Root of the Website instance(s)? Or will this only work with CA certificates that are already trusted?
How do I enable "Accept Client Certificates" for this application? In IIS you do this under "SSL Settings". Documentation indicates that modifying the system.webServer/security/access node of app.config will accomplish this, but obviously you can't do that in Websites. Documentation for websites suggests this node is unlocked for use in web.config, however adding that node results in an error "The page cannot be displayed because an internal server error has occurred.", even if custom errors is off.
For Azure web sites vs web roles client authentication options are rather limited. Websites don't let you run programs with elevated permissions, which is required for making IIS changes and storing certificates into the trusted root.
There's a way to configure you website to always (you don't get the benefit of making it optional as with IIS 'Accept' configuration) request client certificate. This feature is currently only available through Azure management REST API, you can't access it through the portal UI. You can find more information here.
Essentially you turn on clientCertEnabled website setting to true. The mechanics of this option are different from traditional client authentication where server needs to have a CA certificate with which the client cert is signed in its trusted root. The server doesn't run any validation on the client certificate, the application needs to run the cert check itself, which comes in a request header "X-ARR-ClientCert". GetClientCertificate() extension method on HttpRequestMessage will parse it automatically.
Alternatively, you can host your Web API as a web role. That gives access to running startup tasks with elevated permissions that allows access to trusted root and making IIS configurations, more details/examples here. You can either copy the CA certificate to the app folder or upload to the user store via Azure portal so that it is available for copying over to the trusted root in a startup task. IIS changes can be made via “Microsoft.Web.Administration” library available as NuGet package through ServerManager class.
For question 2, here's a blog post on how to install client certificates on Azure Websites: http://azure.microsoft.com/blog/2014/10/27/using-certificates-in-azure-websites-applications/
For question 1, you can't install your own CA certs as trusted root certificates, but if you have certs from a CA that's already trusted then you can use them without any issues.

Can Azure generate a certificate at the cloud side?

During the development, we didn't get the domain binding for our application, so we just use the Azure URL, something like this: xxx.cloudapp.net.
Because we would like our website use HTTPS protocol, we need to use a certificate, just follow the MSDN, we generated the self-signed pfx file using IIS Manager. Before we publish our application to cloud, we upload the pfx file to cloud by the portal page.
So my question is, is above the only way for this situation? Which I means, I need to upload the certificate to cloud manually first, then publish the application? Is there a way I don't need to to this, something like I even not rely on IIS Manager, the cloud can generate a certificate?
Simple answer to your question is No, Azure can't create a certificate for you. But you could do the same.
To elaborate further, let me explain you what's happening behind the scenes. So you have uploaded the PFX certificate in the portal and in your application configuration screen you have specified the thuumbprint of that certificate. When Azure Fabric Controller spins of the VM, it checks for this certificate thumbprint and based on that it fetches the certificate you uploaded previously and installs that certificate. Furthermore it makes changes to the IIS settings does the SSL magic. Now if you want (not sure why) but you could do the same. If we take just development environment, what you could do is write a startup task which would first create a certificate using makecert utility. Then you would write some IIS scripts which will do the SSL magic for IIS.
Yet another thing you could do is automate the deployment of your code using Azure PowerShell Cmdlets. As a part of deployment automation, 1st thing you would do is upload the SSL certificate using Add-AzureCertificate and then create a deployment of your service using New-AzureDeployment.

certificates not grouped under trusted certificates in azure

This question will be easy for those who work in cloud services or for those who having some good knowledge about windows azure.
I have a ssl certificate specified its thumbprint and other details in configuration file. When my package is deployed in the cloud service, the certificate doesn't get grouped under trusted certificate group.Insted it gets grouped under intermediate certificate group in all the instances. Because of this I am getting some certificate issue while accessing a site.
On googling I could find from the microsoft blog, that all the certificates from trusted sources will be grouped under trusted certificates in the azure cloud service virtual machines. But here it is not doing so..
Any ideas on this?
Any comments would be really appreciated..
When deploying certificates to an Azure cloud instance, you may have to include more than jus the SSL certificate to secure the domain. You may also have to list any intermediate certificates, as well as the root certificate. Have a look at this article that describes how to confiugre chained certificates for Azure and let me know if it helps at all.
http://blogs.msdn.com/b/azuredevsupport/archive/2010/02/24/how-to-install-a-chained-ssl-certificate.aspx
This was due to an os upgrade from Microsoft. It was fixed by them and now this seems to be working perfect..
For more: visit http://msdn.microsoft.com/en-us/library/windowsazure/ee924680.aspx

IIS 7 X509 Certificate Issue

I am building a site that needs to call a 3rd party web service over https. The service requires an X509 certificate for authentication.
I can successfully call the service and get a response back using a console application, or a web application running in visual studio web server, this suggests to me that the code, and certificate provided by the 3rd party are all ok.
As soon as I deploy the site in IIS, it cannot connect to the service, I am getting "The request was aborted: Could not create SSL/TLS secure channel" error. I spent a couple of hours trying to figure this out, assuming it was permissions related as IIS app pool running under network service etc.
The certificate is installed in the local machine store, not current user, and I have granted network service (also added everyone is desperation!) using the winhttpcertcfg tool and manually in MMC > Manage Private Keys, so I am confident that the network service account has access to the certificate.
I also used the FindPrivateKey tool and checked the physical windows file and permissions look ok! I tried using identity impersonate in the config, using my windows account and that doesn't make a difference.
I am pulling my hair out with this one, can anyone give me any suggestions on what to try next?
Cheers

Resources