Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I have been using the new Windows Azure Websites preview to build a site for a customer. I recently deployed this site, and moved it to a reserved instance so that I could configure a custom domain for the site as required by the customer. So far so good.
My next step is to secure the site using an SSL certificate. I have searched long and hard on the azure website (as well as stackoverflow) but have not been able to locate any information on how to configure an SSL cert for a reserved website instance.
I have seen many examples of doing this with a web role (cloud service) but not for a reserved website.
Does anyone know if this is currently possible? Or is this perhaps one of the reasons why azure websites are still in a preview mode?
Update: Found a post on the Azure Forum indicating that this is not possible in the current release, but is coming soon in a future release. http://social.msdn.microsoft.com/Forums/en-US/windowsazurewebsitespreview/thread/4bf975e7-56c0-4a4d-bb6a-b9b82f0da469
I did a quick google and found this link. It has some useful information.
Thanks to #twomm here is a TLDR of the situation:
just to keep everybody from clicking through, this is the current state there: "We are shooting for April or May for this feature"
As of 3, June 2013 Azure Web Sites now supports SSL for custom domains for reserved web sites according to Azure Pricing Details Page.
Two type of SSL connections are supported.
1 - Server Name Indication (SNI) SSL connections which works on modern browsers.
2 - IP-based SSL which works on all browsers.
Currently Azure supports shared SSL certificate only. Custom SSL certificates aren't supported yet, however Microsoft is planning to introduce them very soon.
With shared security you can access the same https site with https.
I see that this post and the answers are from a couple years ago. Now that it is possible to add an SSL certificate to Azure for a custom domain, I thought it would be useful to post a full solution here.
The MSDN blog post that I have followed to install a GoDaddy certificate on Windows Azure site is Avkash Chauhan's Complete Solution: Adding SSL Certificate with Windows Azure Application . He doesn't detail the Certificate Authority part, but I added steps below referring to how it is done on GoDaddy. His blog and another he links to have great detail about the whole rest of the process. My summary of all the steps is:
Purchase your SSL credit at GoDaddy
Use the credit to create or renew your SSL Certificate on GoDaddy. As part of the creation process, GoDaddy will ask you for your Certificate Signing Request (CSR). The CSR should be created on your LOCAL IIS server, as follows
In your local IIS 7 Manager, go to Server Certificates and choose Create Certificate Request... on the right. This is where you specify your domain name and details, including the encryption strength. Choose 2048-bit or higher. And RSA as the Cryptographic Provider
Once the CSR file is created, paste the contents into the GoDaddy creation form. It will take 5 to 10 minutes for the certificate creation to complete.
Download the certificate as a .zip file and save to your computer
Go to IIS 7 Manager again and choose Complete Certificate Request... It will ask you to browse to a *.cer file. Actually, you should use the . filter and browse to the *.crt file that was in your .zip file. Give it a friendly name like MyDomainSSL2015
Now that the certificate is created, highlight it and choose Export to export it to a .pfx file. At this point you will also give the exported file a password.
(The next few steps come from another MSDN post by William Bellamy, linked to in the other post I referenced) Log in to Windows Azure, go to Manage the service where you want to install the certificate, and choose Certificates tab
Click "Upload" at the bottom. It will ask you to browse to your .pfx file and enter the password that you created
Now that your certificate is uploaded to Azure, you still must specify that you want your Role to use it. This can be done in Visual Studio. So open your Visual Studio project
Right click on your role and choose Properties. Go to the Certificates tab
Click Add Certificate. A new line will be created in the grid. Make sure that LocalMachine is selected for the Store Location and CA for Store Name (though My seems to work too).
Click the ellipses in the Thumbprint column. This will show you a list of all your local certificates. Choose the one with the Friendly Name that you created earlier
Go to the Endpoints tab. For your HTTPS Endpoint, choose the SSL Certificate Name that you just added.
Publish your role
That's it. Again, the two blogs I referenced have some more detail and some screen shots, though some of the screen shots are outdated.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 years ago.
Improve this question
This is more a theoretical question than a practical one.
I have four different App Services in Azure (each one for dev, tst, acc and prd), and I want to secure them with SSL.
So, in the portal Azure, I select one of the endpoints something-dev.azurewebsites.net and I go to SSL Certificates (I uploaded a certificate there already). Then when I click to add a SSL Binding, a Hostname is required.
I can create a hostname by using the Custom Domains option. But this will imply in some costs and extra work. It's not expansive, and the amount of work is not a lot, but what I'm wondering is:
If I can access already my App Service by using its endpoint (something-dev.azurewebsites.net), why can't I just add SSL binding to this endpoint directly? Why do I need a Custom Domain for it?
I might be lacking some knowledge about SSL, so I'd really appreciate an explanation. Thanks.
You can use the .azurewebsites.net endpoint with SSL directly already (out of the box). The reason not to do this for production, however, is that that particular domain is not owned by you, it's shared amongst every other web app running on Azure. So it's usually fine for dev/test environments and proving that your site works on https: ok, but when going to production you should really use your own custom domain - the settings you're referring to are leading you down that path, so you can then import the corresponding certificate.
From the relevant app services Azure documentation
To secure with HTTPS an app that has a custom domain name, you add a certificate for that domain name. By default, Azure secures the *.azurewebsites.net wildcard domain with a single SSL certificate, so your clients can already access your app at https://.azurewebsites.net. But if you want to use a custom domain, like contoso.com, www.contoso.com, and *.contoso.com, the default certificate can't secure that. Furthermore, like all wildcard certificates, the default certificate is not as secure as using a custom domain and a certificate for that custom domain.
Because you don't own that domain name! instead, its owned by "azurewebsites.net". The domain your using is simply a sub-domain which you have NO control over. So, if you want an SSL certificate you must lease a domain from a registrar.
Actually, you don't need a custom domain to use your own certificate. As I commented above, I had forgotten how to do it. But I've remembered now.
In your web app service settings menu go to Application Settings.
Scroll down to app settings.
In the Key box type "WEBSITE_LOAD_CERTIFICATES"
In the Value box type the thumbprint of your custom SSL certificate.
Edit: Don't forget to actually upload the SSL cert.
I have a question about Azure-hosted websites and wildcard certificates.
I’m able to install my wildcard certificate to a website and then add multiple SSL bindings without issue.
But when I try to add that same certificate to another website, I get an error message about the certificate thumbprint.
Is there a centralized location where I can add the SSL certificate so that I can use the wildcard cert for multiple, individual websites?
I would like to report that this appears to just be a propagation issue on the side of Azure, and the issue has resolved itself.
Some more information in case others would run into this issue-
After I added the certificate using the new Azure interface (portal.azure.com) to a Website, the SSL certificate did not appear in the "Certificates" list, though it did successfully accept the SSL bindings that were added. Navigating to a different Website, I attempted to add the certificate again, which failed.
After 10 minutes, I now see that the "Certificates" list is populated on all Websites on the account. When you upload a certificate to one Website, it does become global for the account and is accessible on other parts of the Azure portal.
I am attributing this solely to a propagation delay... otherwise, all appears to work normally.
Hope this helps someone.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
I have an Azure Web Site running successfully for the last year over SSL. The certificate is expiring, so I purchased a renewal. The steps I followed were:
use IIS to create the CSR
download the PKCS7 package (which includes intermediate certificates) from GeoTrust
complete the certificate request in IIS
use the certmgr MMC snap-in to export the PFX file with a private key and including all intermediate certificates and extended properties
upload to Azure
I am getting an error from Azure on step 5 - "Could not upload the certificate for web site XYZ." And the expanded error detail is "At least one certificate is not valid (Certificate failed validation because it could not be loaded.)"
Update: Azure support notified me on 2014/07/07 that the issue described below has been fixed.
I contacted Azure support and they confirmed that this is a known issue with the service. According to the tech I spoke to, a fix should be deployed some time next week.
In the meantime, I was provided with the following workaround:
While exporting the certificate, uncheck the following boxes:
Include all certificates in the certificate path if possible
Export all extended properties
Having just received the error as described (with a COMODO wildcard certificate) I tried NOT including the intermediate certificates when exporting the .pfx cert file and -- low and behold -- Azure accepts the certificate upload.
This goes contrary to the Azure docs, but initial testing of the https URL in Firefox, IE and Chrome doesn't show any problems.
I have a single .NET website that is currently running under a traditional hosting account.
I am using a multi-domain (5 domain) SSL certificate to handle domains for different regions i.e.
https://www.mywebsite.com
https://www.mywebsite.net
https://www.mywebsite.de
https://www.mywebsite.at
https://www.mywebsite.co.uk
At a code level I detect the address and localize the site depending on the URL extension.
This has all worked perfectly for the past few years with no problem. Now I want to migrate this site to Windows Azure to allow for better performance and redundancy.
I have successful experience of setting up a site using a Wildcard SSL certficate under Azure (i.e. *.mywebsite.com) but I am keen to sound out whether the multi-domain SSL is also possible.
So my question is does Azure support this kind of certificate and setup, has anyone successfully achieved this and were there any pitfalls?
Just to follow up on my question, it was very simple to implement in the end. I uploaded multiple certificates against my cloud service and the code then worked as before.
I need to create a self signed SSL certificate and the install the same certificate on two different web servers. For this specific scenario I have two web servers (Win2K3 w/ II6) in a network load balanced configuration.
I have installed the IIS resource tool kit and can use the SelfSSL tool to make a certificate. However my confusion comes from that the tool only registers the certificate on the current machine. How do I go about extracting the certificate in a form that I can then register it on the other web server?
I am not partial to the SelfSSL tool at all, so if I am going about this entirely wrong I am open to alternative instructions. I have seen instructions on how to generate .cer files using OpenSSL but I was really trying to hold off on install OpenSSL unless I really had to.
Thanks!
Preface
These instructions are probably not of much help to anyone, since both Windows 7 and IIS 7 are not supported anymore. However, I felt compelled to answer this question because it was currently the oldest unanswered question on Stackoverflow and I felt I could provide an accurate answer based on multiple sources.
With that out of the way, you should be able to extract the certificate generated by SelfSSL through the Microsoft Management Console and subsequently install it on other web servers using IIS Manager. Since you asked this question in 2008, the following instructions should be appropriate for your timeframe.
Step 1: Extracting the certificate
These are the relevant steps from this article on HowToGeek.
First, run the command mmc to open the Management Console:
In the console, go to File > Add/Remove Snap-in.
Add Certificates from the left side.
Select Computer account.
Select Local computer.
Click OK to view the Local Certificate store.
Navigate to Personal > Certificates and locate the certificate you setup using the SelfSSL utility.
Step 2: Installing the certificate.
Now that you have successfully extracted the certificate, the next step is to install it into an IIS web server. Again, these instructions from SSL Store for IIS 7 should be appropriate for your timeframe.
1. Launch IIS Manager
Click Start, Control Panel, Administrative Tools, and then select Internet Information Services (IIS) Manager.
2. Select your server name
In the left Connections menu, select the server name (host) where you want to install the certificate.
3. Navigate to the Security section
In the center menu, click the Server Certificates icon under the Security section near the bottom.Microsoft IIS 7 Step4
4. Click Complete Certificate Request
In the right Actions menu, click Complete Certificate Request.Microsoft IIS 7 Step5
5. Browse to your Server Certificate
In the Complete Certificate Request wizard, click “…” to browse and select Your Server Certificate file that was previously saved on your server’s desktop.
6. Name your certificate
Enter a Friendly Name which is an internal reference name to distinguish the file later. We recommend including the CAs name and expiration date.Microsoft IIS 7 Step7
7. Click OK
Click OK and the newly installed certificate should appear in the refreshed Server Certificate List.