As part of deployment we need to create publish settting file or self signed certificate.
Could someone please help me understand why we need this? To encrypt every request from given machine or any machine?
To publish a deployment from a tool (Visual Studio, PowerShell, or custom using the Service Management API), you will need to authorize that tool to work with Windows Azure. If you deploy via the Windows Azure management portal, this isn't needed because it knows you (via your authenticated Microsoft Account).
That authorization comes in the form of an X509 certificate. Like you mentioned, you can create it yourself, or you can have Windows Azure create one for you in the form of a .publishsettings file. That file contains an encoded X509 certificate. When you import that file into a tool like Visual Studio or the PowerShell cmdlets, the certificate is installed to your local certificate store. Then it can be used to authenticate requests between your machine and Windows Azure.
As for how to manage the certs, I typically prefer to have at least one per machine. I think it makes it easier to remove a cert if I need to, and not impact other machines I'm using. But, that's really up to you.
I always assumed the certificate was needed to authenticate the right to publish
(you don't want just anybody being able to deploy to your site)
Related
I have a program (.msi file) that is being built on a remote machine that I have no physical access to. The program is supposed to be distributed to users with Windows machines, however, in order to prevent the Smart Defender popup, I need to sign the installer with EV Code Signing certificate.
In order to implement the code signing on the remote machine that I am using right now, I was thinking about using Azure Key Vault along with AzureSignTool.exe, however, I am not sure whether this setup is reasonable. Is there anybody who had any experience with such a setup and could let me know how well it works?
I have also seen that in the Azure Key Vault there is a Managed HSM Pool option, however, I couldn't find much information on what that is. Am I ever going to need that or can I just simply ignore it?
I want to setup SSL Certificates generator/manager for Custom Domains - using Let's Encrypt but I'm not able to find the right tutorial. I've done some research work and I'm able to setup Let's Encrypt Certbot on one domain/machine with nginx.
I have a web app on Azure which will serve multiple domains, so multiple custo domains from single IP. I want to generate SSL Certificates for custom domains on the fly.
I learnt that Openresty can help but I couldn't find any step-by-step article. How do I setup the SSL Management with Let's Encrypt. At this point I'm not sure if I need a stand-alone VM or if it possible to run as a set of REST API Endpoint on a Web Server? Any pointers? I appreciate any help!
Azure App Service does not currently include native support for Let's Encrypt, but there is a community-supported extension that gets the job done.
https://github.com/sjkp/letsencrypt-siteextension/wiki/How-to-install
This extension uses a webjob to facilitate automatic certificate renewal, so the app must be Always On for automatic renewal to work. If you are using deployment slots, be aware that you need to install the extension in each slot, and then add a WEBJOBS_STOPPED = 1 slot setting to each non-production slot (assuming you're not using other webjobs on non-production slots that need to run in their non-production environments). This ensures that the webjob is always present on the production slot, and only runs on the production slot.
Also be aware that if you Web Deploy code to the app service from Visual Studio with the "Remove additional files at destination" file publish option checked, that doing so will remove the webjob from the slot to which you publish. You have a few choices if this applies to you:
Manually refresh the certificates every three months.
Reinstall the extension any time you publish (you do not have to reconfigure it).
Clone the webjob into your solution and publish it along with your project.
There may be other options, but those are the ones I've explored.
Microsoft has asserted that this extension constitutes support for Let's Encrypt, but Microsoft does not support this extension. Here's a place to vote for native support for Let's Encrypt on Azure if you think it's important:
https://feedback.azure.com/forums/170024-additional-services/suggestions/16957756-add-integration-with-let-s-encrypt
I need to install a self-signed CA root certificate that is used by one of our applications that uses Client Certificate Authentication with an external provider.
I have uploaded the .PFX client certificate but I also need to install the CA certificate into the trusted roots.
I have googled endlessly on how to do this and everywhere I look it speaks of Web-Roles, Jobs and Workers, Etc.
We don't have any of these on our project and I am not familiar with how they work or the process of creating / using them. We have a standard ASP.NET MVC 5 web application that we publish to an azure app service, that's about it.
How do I get this CA certificate installed on Azure?
I don't mind if I have to use a Web Role / Job / Worker / Whatever but I have never had to configure one before so please advise on how to get setup if that is the correct solution (I.E: If it just requires creating a new project on our VS2015 solution and configuring some deployment settings).
Thanks.
G.
Looking at this blog post it's not possible.
Do note that we will not install new Root certificates in our Trusted Authorities as a result of this, just the intermediate certificates.
That leaves you with two options:
Use an Azure Virtual Machine
Ignore the fact that the certificate is
not trusted by Azure
If possible it would be better to handle the certificate policy in-app - then you are in complete control. Assuming you are using .NET then you can either implement an ICertificatePolicy with your own validation or just ignore the "error" as per this SO asnwer.
If you are happy to run your application on a web or worker role in a cloud service, you can use start-up taks. A start-up task can be either a .bat file or PowerShell script that is executed prior to starting your application. You can also run these scripts elevated if you want.
See also:
- https://learn.microsoft.com/nl-nl/azure/cloud-services/cloud-services-startup-tasks
- https://social.msdn.microsoft.com/Forums/azure/en-US/96926ae6-0cbf-4d00-9dd4-bbe86f93737e/add-certificate-file-to-trusted-root-ca-using-startup-task?forum=windowsazuredevelopment
We are trying to run OIOSAML as an SAML SP in an Azure Website, but we encounter problems regarding the signing certificates. Azure websites will not allow us to install custom certificates, hence our SigningCertificate under the Federation node in the web.config file cannot be found. Do we have to move over to a Virtual Machine?
The Azure Web Sites team is currently working to add this feature. Specifically adding the ability for web sites to optionally load profiles which will support more certificate loading scenarios. The ETA for this work to be in production is within 2 weeks.
To help ensure we will be supporting your scenario, if you can provide a representative code snippet which is failing, we will validate that it works with the fix, before we go to production.
Thanks for your patience.
The Kentor.AuthServices SAML2 SP package can load certificates from files in App_Data and works on Azure. The Kentor implementation is not as complete as OIOSAML (yet, we're working on it) but if the functionality it offers is enough for you it can be an option.
I don't have the latest version of the code deployed in the company's Windows Azure account, and I need to provide a fix to it. I know this can be done with "Azure Web Sites", but I'm not sure it's possible with "Azure Cloud Services".
Can anyone help?
If you did git deployment of the cloud service, you could fetch from the remote the same way you could with Windows Azure Web Sites. You may have updated the cloud service by uploading the package to blob storage first, in which case you could get the package. But, the package is not source code.
From a process perspective, you should label your deployments with a tag that can be matched in source control. You never know when a "hotfix" needs to be added to a branch off of the current production code.
In Windows Azure Cloud Services, instances are uploaded in the form of .cspkg packages.
According to the documentation, the Get Package operation retrieves a cloud service package for a deployment and stores the package files in Windows Azure Blob storage.
You could then download and extract this package (it is in ZIP file format) to retrieve its content. See this answer for more details.
In the case of ASP.NET applications, that will be a mixture of text files and binary assemblies (.DLLs). In the case of Java, it will be .jar files. You could use the appropriate decompiler to retrieve an approximation of the original source code. But it probably wouldn't be safe to change this reverse-engineered source code and upload it back into production, at least not without extensive testing.
yes. you can download it with an ftp client.
Ggo to dashboard of your site on https://manage.windowsazure.com.
Get credentials (username , password, host) and connect with you preferred ftp client.
Well, Azure now had a new portal and things are bit different. I had to retrieve the code for one of my websites.
To download the code,
go to App Service. In Overview panel, download publisher profile.
Now go to Deployment credentials panel. Enter the username for FTP and choose a password.
To connect to ftp, you need the URL from publishing profile (example.PublishSettings).
Now fire up your FTP client (FileZilla in my case) and put the FTP address and put the username like sitename\ftpusername (example\ftp-exmaple-user for me) and put in the password you choose in Deployment credentials panel.
wwwroot contains your code!
I realize it's an old question, in case anyone else needs it... I use the Cloud Explorer in Visual Studio 2017. In the Cloud explorer, you can drill down Subscription -> Resource Group -> App Service -> Files. Then, at the bottom of the Cloud Explorer, click "Download Files as a Zip."