How to secure azure website and data deployment - azure

I'm working on large scale web application with lots of customer data. It's a CMS system, where the content authoring resided on-premise and delivery website hosted in azure.
From time to time we need to perform deployment of new changes and also publish of content from on premise cMS to azure.
I understand that we can use either Publish Setting or self-signed Certificate for authentication. But what I don't know is:
Which option (Azure Publish Setting or Self Signed Cert) is more secure to avoid MiTM attack?
Do we need to buy third party CA signed Certificate and if so what type (as it's not for website but for azure X509 authentication)?
Thank you heaps.

Simply use https instead of http when you are publishing data to protect it from tampering and eavesdropping during transmission.
A self signed certificate will suffice. You do not need to buy a trusted CA certificate for this purpose since you control both ends of transmission and can pre-configure that your self-signed certificate is trusted.
You only need a CA certificate when you expect random clients to trust your certificate, like when you expose your own https endpoint.
You may wish to have a look at Azure Vitual Network for alternative approaches.

Related

Azure App Service and Certificate Authority

We are building an enterprise application which is hosted on Azure App Service. The app service calls an internal inventory service to retrieve data. As part of initial call to the inventory service, it requires us to pass the .cer certificate for the calls.
The company issues certificates and acts as a Certificate Authority.
Question : is it possible to trust the internal company as a Certificate Authority in App service, so that, the app services trusts calls from the internal services.
This will be of huge help, because the certificate issues by the internal company CA expire each year and we will need to re-upload a valid certificate each time.
Any help will be much appreciated.
Unfortunately, you cannot add a certificate to the trusted certificate authority on an Azure Web App. The security implications would be quite bad.
To use a certificate in App Service, the certificate must meet all the following requirements:
• Signed by a trusted certificate authority
• Exported as a password-protected PFX file
• Contains private key at least 2048 bits long
• Contains all intermediate certificates in the certificate chain
Below Links will help you in configuring certificates in app service if you are not looking to secure a custom domain with an SSL binding.
Add a TLS/SSL certificate in Azure App Service
Use a TLS/SSL certificate in your code in Azure App Service
But you can override the framework code for SSL verification to include your particular cert
ServicePointManager.ServerCertificateValidationCallback
Refer the SO which will help you in overriding the framework

Azure TLS Certificate changes clarification

I recently got an email from Microsoft regarding the TLS Certificate changes. Had some difficulty understanding few action steps regarding it. Can anyone please explain the below points in detail.
Would be a massive help!
The TLS Change would apply to anyone who is trying to communicate to Azure services with their application. This is for applications/services etc. which call any Azure endpoint for execution. While calling the Azure endpoint the clients are required to present the certificate and trust the ones provided by Azure during the secure communications (a step called SSL handshake) between both the parties. In this case, the application needs to trust the Certificate authorities which granted the Azure service/endpoints the certificates so the certificate-based errors do not come during any secure communication between the application and Azure endpoints. Your application may be impacted if it explicitly specifies a list of acceptable CAs. This practice is known as certificate pinning.
There are some ways to detect if your application is impacted. You can follow the below article to find out more information:
https://learn.microsoft.com/en-us/azure/security/fundamentals/tls-certificate-changes#will-this-change-affect-me
https://azure.microsoft.com/en-us/updates/site-recovery-tls-certificate-update/
If you have any specific question, you can post the same in the below thread which is being continuously monitored for Azure TLS certificate questions:
https://learn.microsoft.com/en-us/answers/questions/117444/reminder-azure-tls-certificate-changes.html

How to ensure Linked CA Trust Chain / Should or Can I install Intermediate CA on Azure WebApp?

I have a [major corporate] client who are about to change the SSL certificates that they use with their API services.
I have an application with APIs that consume those of our client (server to server, not browser to server).
Our client has issued a Linked CA certificate to 3rd parties (such as my company). We have been instructed to install the supplied certificate onto our servers.
I have been tasked to prove that our own service will continue to work after their change. I believe that I may need to be able to demonstrate the chain of trust.
The supplied Linked CA is "DigiCert Global CA G2".
Our own APIs are hosted on an Azure API/WebApp.
I do not believe that we should even be considering installing Linked CA's on Azure app services. I suspect that MS manage this entirely as part of the platform.
I have raised this question as a helpdesk ticket with Azure support, but after a few false-starts explaining the issue, the advise we have now received is a reference to this article https://azure.microsoft.com/en-us/blog/enabling-client-certificate-authentication-for-an-azure-web-app/. With genuine respect to MS helpdesk, I don't believe that this addresses my issue.
To clarify, I am explicitly not talking about installing an SSL certificate on our own systems.
Our client has not yet started using their replacement SSL certs ... so I'm unclear how I might go about positively proving that the replacement SSL certs will work, without having visibility of them in advance.
To distill my question into two parts:
"is what I've been tasked to do even possible without visibility of the subject SSL?".
"should I be contemplating installing a Linked CA onto an Azure App service? (and if so, how)".

Azure App Service SSL Certificate Not Trusted

https://www.ssllabs.com/ssltest/analyze.html?d=recruit.equitysim.ai
Situation:
A client needs to access our site over a secure connection but is unable to do so because of a problem with our certificate.
We purchased a wildcard certificate and set it up as per the documentation. If you notice in the provided link, our certificate is trusted.
We are using the Azure App Service to host our website on a paid level that includes custom domain and SSL support.
Problem:
According to the test, it appears that Microsoft's SSL certificate is not trusted - alternative names mismatch (See Certificate #2). We believe this to be the reason why our client is unable to access our site.
Any thoughts on the matter? We know it isn't an SNI problem because we have another site that is hosted on a VM that also requires SNI support and they can visit that site just fine.

Installing certificates to the trusted root certificate store on azure web apps

How can I install a certificate into an Azure Web App so that my azure webapp can communicate with a remote service via SSL (this particular certificate is not signed by a public CA)
I generated an ssl certificate with openssl and when I install it to the trusted root certificate authentication store on my local computer the runs fine. However when I upload the cert via the management portal I get errors that the certificate isn't trusted (which is correct) and the correct error for when a certificate is not installed.
How can I install a private SSL certificate into the trusted root certificate store on an azure web app?
Unfortunately, we cannot add a certificate to the trusted certificate authority on an Azure Web App. The security implications would be quite bad if that were possible. More detail info please refer to another SO thread.
But We can use Azure Cloud Service that allowed us to do that. More info please refer to the document.
If we want to install certificates to Personal certificate store , we could upload a .pfx file to the Azure App, and add an App setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. Then the certificates will be installed to the Personal certificate store . More detail please refer to Using Certificates in Azure Websites Applications.
How to obtained an SSL certificate please refer to the official document Secure your app's custom domain with HTTPS.
 
The easiest way to get an SSL certificate that meets all the requirements is to buy one in the Azure portal directly. This article shows you how to do it manually and then bind it to your custom domain in App Service.

Resources