I am trying to consume the certificate uploaded in azure website(not webrole) in my web app using following config
<microsoft.identityModel>
<!-- Service Configuration -->
<service>
<serviceCertificate>
<certificateReference findValue="2696C50B72CB368AEB11DE3B23CD226252A1BFD" storeLocation="CurrentUser" storeName="My" x509FindType="FindByThumbprint"/>
</serviceCertificate>
<certificateValidation certificateValidationMode="None"/>
</service>
Code works fine on local system. But I am recieving error when deployed to azure website.
ID1024 The configuration property value is not valid
ID1025 Cannot find a unique certificate that matches the criteria
I then tried to browse all the certificates in my azure website(using code). But the certificate list does not contain my uploaded certificate.
Certificate is uploaded and can be seen in azure portal.
Custom domain is mapped and the uploaded certficiate is used against the domain.
But somehow my web app is unable to find the certificate. I tried all possible combination of StoreName and StoreLocation but in vain.
I think there may be some confusion on what the certificates you upload via the Configure tab for Websites are used for. Currently the certificates loaded there are ONLY used for SSL.
When looking at the little help icon next to the certificates section on the configure tab the tooltip states the following:
"This section lets you manage SSL certificates that you can bind to your custom domain names. Binding an SSL certificate to your custom domain name will allow your end users to access your site over HTTPS."
Windows Azure Web Sites exist at a process level, meaning that they can be started up on one machine but move around as the processes go up and down. If you aren't familiar with this I'd suggest reading up on how the hosting model works for Web Sites. Here is an article that covers it: Windows Azure Web Sites - A New Hosting Model for Windows Azure (full disclosure: I wrote the article).
Loading the certificate here I do not believe adds the certificate to any of the stores on the machines your web site runs on. Windows Azure would need to ensure that the cert is always on the machine the site is deployed to and since this is only at a process level and can change frequently (unless you are using standard) it doesn't make sense. The SSL certs are handled differently and as far as I know aren't really deployed to each machine.
As far as I know in order for you to load a certificate and use it you'll either need to look at a web role where loaded certs from the portal ARE placed into the store on the VM or look to see if you can load the certificate manually in code and ship the cert as content on your site (which seems a little less secure to me). I could just be overlooking an option though.
Related
I have an web app on Azure with a myapp.azurewebsites.net address and have been following the guide here:
https://learn.microsoft.com/en-USazure/app-service-web/app-service-web-tutorial-custom-domain
Based on this, I have added the hostname in the app settings and it has been verified. I have also added the A Record and TXT record in my domain hosting provider based on the instructions (A Record points to the Azure website IP address) along with installing the SSL certificate for the external domain on the external host.
However when I type in the custom domain name, it goes to the page on the external host instead of the Azure website
What I would like to happen is: https://custom.domain will show the same as https://myapp.azurewebsites.net
Is this even possible ?
As far as I know, the certificate is used to tell the user(client browser) this website is secure.
Normally, there are two reasons why the browser window showed the non-secure page.
You're probably using a self-signed certificate.
You may have left out intermediate certificates when you export your certificate to the PFX file.
So if you want your custom domain doesn't show the non-secure page, you need buy a certificate from the azure or some other company.
After verifying domain ownership, then you could bind this certificate to your azure web app.
After this operation, it will work well.
More details about how to buy certificate with custom domain in the azure, you could refer to this article.
After buying the azure certificate, you could find the certificate as below image shows:
After binding the certificate well, it will not show the no-secure page in the browser.
Image 1:
Image 2:
I saw that creating the fully hosted domain also created A Records pointing to their IP address instead of Azure. Do I need to override these somehow, or how should it work? The tutorial did not show if "contoso.com" was https.
In my opinion, fully hosted domain is the hosting company creates its own web app server to hosting your web app and change the A records point to its own web app server IP address.
So you will find the custom domain show that company pages.
If you want to set the custom domain still points to the azure web app, you need change the A record's IP address as azure web app's address.
If you could find the hosting company has already create a certificate and verified your domain.
Then you could download it and upload it in the azure web app's portal.
After binding the SSL, it will work well.
If the fully hosted domain doesn't contain the certificate, you need buy the certificate by yourself again, upload it in the azure web app portal, change the A record points to your azure web app's IP address.
The problem it seems is that when using a fully hosted site, I can add an A Record but the hosting company keeps using their own A Record which I cannot change, it is part of their "uneditable settings."
Since I don't know how your hosting company's fully hosted site works.
Now, the most easily way is you connect to its support team to change the domain setting firstly, then you follow this article to buy a azure certificate and bind it.
For second option, did you mean to download the SSL from the hosting company and use it as 3rd party SSL in Azure? The A Record would still point to the hosting company right ? Also it seems I do not have an option to download the SSL either in PFX format, I can only view the certificate configuration (CSR, key, etc).
Yes, if you have permission to download the PFX format(if you don't know how to do it, please connect to your hosting company support), you could use it as third party SSL.
I am developing a windows service application that will run on customer PC/servers and access a Web API endpoint hosted in an Azure Website. It needs to authenticate the user, and I would prefer not storing credentials on the customer's machine. So, I've landed on client certificates to authenticate the users. I have this working against a local, non-Azure Website IIS instance with self-signed certificates. However, I'm unable to get it working in an Azure Website.
As far as I can tell, there are two issues that I'm not finding much documentation on:
How do I install my own CA certificate in the Trusted Root of the Website instance(s)? Or will this only work with CA certificates that are already trusted?
How do I enable "Accept Client Certificates" for this application? In IIS you do this under "SSL Settings". Documentation indicates that modifying the system.webServer/security/access node of app.config will accomplish this, but obviously you can't do that in Websites. Documentation for websites suggests this node is unlocked for use in web.config, however adding that node results in an error "The page cannot be displayed because an internal server error has occurred.", even if custom errors is off.
For Azure web sites vs web roles client authentication options are rather limited. Websites don't let you run programs with elevated permissions, which is required for making IIS changes and storing certificates into the trusted root.
There's a way to configure you website to always (you don't get the benefit of making it optional as with IIS 'Accept' configuration) request client certificate. This feature is currently only available through Azure management REST API, you can't access it through the portal UI. You can find more information here.
Essentially you turn on clientCertEnabled website setting to true. The mechanics of this option are different from traditional client authentication where server needs to have a CA certificate with which the client cert is signed in its trusted root. The server doesn't run any validation on the client certificate, the application needs to run the cert check itself, which comes in a request header "X-ARR-ClientCert". GetClientCertificate() extension method on HttpRequestMessage will parse it automatically.
Alternatively, you can host your Web API as a web role. That gives access to running startup tasks with elevated permissions that allows access to trusted root and making IIS configurations, more details/examples here. You can either copy the CA certificate to the app folder or upload to the user store via Azure portal so that it is available for copying over to the trusted root in a startup task. IIS changes can be made via “Microsoft.Web.Administration” library available as NuGet package through ServerManager class.
For question 2, here's a blog post on how to install client certificates on Azure Websites: http://azure.microsoft.com/blog/2014/10/27/using-certificates-in-azure-websites-applications/
For question 1, you can't install your own CA certs as trusted root certificates, but if you have certs from a CA that's already trusted then you can use them without any issues.
I have a question about Azure-hosted websites and wildcard certificates.
I’m able to install my wildcard certificate to a website and then add multiple SSL bindings without issue.
But when I try to add that same certificate to another website, I get an error message about the certificate thumbprint.
Is there a centralized location where I can add the SSL certificate so that I can use the wildcard cert for multiple, individual websites?
I would like to report that this appears to just be a propagation issue on the side of Azure, and the issue has resolved itself.
Some more information in case others would run into this issue-
After I added the certificate using the new Azure interface (portal.azure.com) to a Website, the SSL certificate did not appear in the "Certificates" list, though it did successfully accept the SSL bindings that were added. Navigating to a different Website, I attempted to add the certificate again, which failed.
After 10 minutes, I now see that the "Certificates" list is populated on all Websites on the account. When you upload a certificate to one Website, it does become global for the account and is accessible on other parts of the Azure portal.
I am attributing this solely to a propagation delay... otherwise, all appears to work normally.
Hope this helps someone.
During the development, we didn't get the domain binding for our application, so we just use the Azure URL, something like this: xxx.cloudapp.net.
Because we would like our website use HTTPS protocol, we need to use a certificate, just follow the MSDN, we generated the self-signed pfx file using IIS Manager. Before we publish our application to cloud, we upload the pfx file to cloud by the portal page.
So my question is, is above the only way for this situation? Which I means, I need to upload the certificate to cloud manually first, then publish the application? Is there a way I don't need to to this, something like I even not rely on IIS Manager, the cloud can generate a certificate?
Simple answer to your question is No, Azure can't create a certificate for you. But you could do the same.
To elaborate further, let me explain you what's happening behind the scenes. So you have uploaded the PFX certificate in the portal and in your application configuration screen you have specified the thuumbprint of that certificate. When Azure Fabric Controller spins of the VM, it checks for this certificate thumbprint and based on that it fetches the certificate you uploaded previously and installs that certificate. Furthermore it makes changes to the IIS settings does the SSL magic. Now if you want (not sure why) but you could do the same. If we take just development environment, what you could do is write a startup task which would first create a certificate using makecert utility. Then you would write some IIS scripts which will do the SSL magic for IIS.
Yet another thing you could do is automate the deployment of your code using Azure PowerShell Cmdlets. As a part of deployment automation, 1st thing you would do is upload the SSL certificate using Add-AzureCertificate and then create a deployment of your service using New-AzureDeployment.
If I create an azure website let's assume: myname.azurewebsites.net, I can access this by using http (http://myname.azurewebsites.net) or https (https://myname.azurewebsites.net).
What does this mean? Did I understood it right that basically I don't need an SSL certificate as it has one by default?
I need to build a web service that needs to use SSL. Therefore do I need to buy an ssl certificate and custom domain (not important)? I don't need a custom domain and the default one works fine for me. So can I use my service over SSL provided by Azure: https://myname.azurewebsites.net (is a wildcard certificate)?
If you need to build a web service that needs to use SSL I highly suggest that you use your own domain and your own SSL certificate (buy one) if you are going in production with it. If you just test/play around - than you can safely use the default provided one.
And you are correct about default provided one - you get a (free) SSL for your azure web site as long as it is only bound to the default XXX.azurewebsites.net domain. However the certificate you get there is a wildcard certificate issued to *.azurewebsites.net. I would not use it if I have to go for a production service!
If you are to use SSL features of Azure Web Sites with your own domain and certificate, check out the Pricing and requirement pages. There are important things to note!