I am in the process of trying to obtain an authenticode certificate for our online application. I have paid for the cert (through KSoftware a reseller of Comodo). They insist that they require the WHOIS information of the sites address to match the company name/address etc.
Here's the problem, the application is hosted in Azure. When I query the WHOIS record for our sites address it returns Microsoft details!
Perhaps someone has been through the process of getting an Azure application signed or knows of any good references I can take a look at.
When you create a service and deploy your application to Windows Azure it runs with DNS name i.e. yourservicename.cloudapp.net.
However if you have a domain name i.e. yourdomainname.com then you sure can set your domain as primary place for your users to come (or any request to come) and then all the requets will be redirected to Windows Azure site (*.cloudapp.net). To make it happen you need to setup CNAME setting in your DNS registrar to send all requests from your domain to Windows Azure application. #Smarx has explained the process here to follow.
Now when you use Authenticode certificate your authenticated request must be handled by your original domain, yourdommainname.com not with your servicename.cloudapp.net. When you have CNAME set for your site yourdomainname.com you will get correct WHOIS info as return by your domainname.com registrar which will be validated correctly by Authenticode certificate.
Related
I want to create certification by App Service Managed Certificate.
I set these records
and it works correctly but when I want to create App Service Managed Certificates by Azure
I got a strange error
Failed to create App Service Managed Certificate for hostname. Click here for more details.
I try different CAA records and none of them works.
what should I do?
and if I want to use terraform it is stuck at creating the certificate
I use this template
Azure does not support the .ir domain.
Good news on App service managed certificate.
Yes, you heard correctly it became GA now and supports apex domain with a country code top-level domain (ccTLD).
Key Features:
Supports Apex domain.
Auto renewed.
Expired in 6 month.
Auto renew 45 days before expiration.
Automate using ARM template.
App Service Managed Certificate for apex domain will take a bit longer to create than for sub-domain because it uses a different validation method.
Not exportable.
I hope this will help you in securing your environment.
Maybe the tutorial you need is this:
map-a-cname-record
Create a free certificate
I had seen this error before, and solve it by the steps below:
Check the CNAME records. Map a subdomain to the app's default domain name needs two records: CNAME record and TXT record.
Make sure you enabled the CNAME record mapping in Azure .
Clear the records you don't need, like the CAA records, because wildcard certificatesis not support for creating a free certificate. Take care of the limitations.
It may takes a while for this configuration to take effect.
App Service Managed Certificate is still in Preview, there are some limitations with this (as of today), kindly check them below.
It's a private certificate to use if you just need to secure your www custom domain or any non-naked domain in App Service.
The free certificate is issued by DigiCert. For some top-level domains, you must explicitly allow DigiCert as a certificate issuer by creating a CAA domain record with the value: 0 issue digicert.com.
The free certificate comes with the following limitations:
Does not support wildcard certificates.
Does not support naked domains.
Is not exportable.
Is not supported on App Service Environment (ASE)
Does not support A records. For example, automatic renewal doesn't work with A records.
Kindly see the different between App Service Certificate and App Service Managed Certificate.
https://microsoft.github.io/AzureTipsAndTricks/blog/tip259.html
Checkout this documentation for more details.
I have an web app on Azure with a myapp.azurewebsites.net address and have been following the guide here:
https://learn.microsoft.com/en-USazure/app-service-web/app-service-web-tutorial-custom-domain
Based on this, I have added the hostname in the app settings and it has been verified. I have also added the A Record and TXT record in my domain hosting provider based on the instructions (A Record points to the Azure website IP address) along with installing the SSL certificate for the external domain on the external host.
However when I type in the custom domain name, it goes to the page on the external host instead of the Azure website
What I would like to happen is: https://custom.domain will show the same as https://myapp.azurewebsites.net
Is this even possible ?
As far as I know, the certificate is used to tell the user(client browser) this website is secure.
Normally, there are two reasons why the browser window showed the non-secure page.
You're probably using a self-signed certificate.
You may have left out intermediate certificates when you export your certificate to the PFX file.
So if you want your custom domain doesn't show the non-secure page, you need buy a certificate from the azure or some other company.
After verifying domain ownership, then you could bind this certificate to your azure web app.
After this operation, it will work well.
More details about how to buy certificate with custom domain in the azure, you could refer to this article.
After buying the azure certificate, you could find the certificate as below image shows:
After binding the certificate well, it will not show the no-secure page in the browser.
Image 1:
Image 2:
I saw that creating the fully hosted domain also created A Records pointing to their IP address instead of Azure. Do I need to override these somehow, or how should it work? The tutorial did not show if "contoso.com" was https.
In my opinion, fully hosted domain is the hosting company creates its own web app server to hosting your web app and change the A records point to its own web app server IP address.
So you will find the custom domain show that company pages.
If you want to set the custom domain still points to the azure web app, you need change the A record's IP address as azure web app's address.
If you could find the hosting company has already create a certificate and verified your domain.
Then you could download it and upload it in the azure web app's portal.
After binding the SSL, it will work well.
If the fully hosted domain doesn't contain the certificate, you need buy the certificate by yourself again, upload it in the azure web app portal, change the A record points to your azure web app's IP address.
The problem it seems is that when using a fully hosted site, I can add an A Record but the hosting company keeps using their own A Record which I cannot change, it is part of their "uneditable settings."
Since I don't know how your hosting company's fully hosted site works.
Now, the most easily way is you connect to its support team to change the domain setting firstly, then you follow this article to buy a azure certificate and bind it.
For second option, did you mean to download the SSL from the hosting company and use it as 3rd party SSL in Azure? The A Record would still point to the hosting company right ? Also it seems I do not have an option to download the SSL either in PFX format, I can only view the certificate configuration (CSR, key, etc).
Yes, if you have permission to download the PFX format(if you don't know how to do it, please connect to your hosting company support), you could use it as third party SSL.
I have been trying for 3 days now to link custom domains, caretopets.com and www.caretopets.com, to an Azure Web app - the issue is that I am was not able to verify it (I get both Domain ownership and Hostname availability errors).
The domain is newly purchased from godaddy. I read several articles, and also have other web app with different domain linked. I'm not sure what I am doing wrong.
I added the required A, TXT and CNAME records as seen here:
I checked the records with digwebinterface:
The only thing is that there are some strange additional CNAMEs.
I also tried to verify a domain that is already linked to another web app in the same subscription, and even that one won't verify as well.
Any suggestions on where to go from here would be helpful.
link a custom domain caretopets.com and www.caretopets.com to an Azure Web app I am was not able to verify it
To map custom domain to web app, I create the DNS record(s) like this. I could validate Domain successfully.
As far as I know, it should report success or detailed error with prescriptive guidence on how to fix the error while checking for Domain ownership and Hostname availability in Azure portal.
Please make sure whether you point to correct IP address and Azure app's default domain name.
Besides, this article shows us how to manually map a custom domain name to web app with detailed steps, please refer to it.
I'm building an ASP.NET MVC website to be hosted as a shared Azure website with custom domain name.
For the backend portion of the site (for specific users only) I need a login form and from that point on all traffic should be SSL encrypted. However I don't have a custom certificate and would like to avoid that extra cost.
I noticed that free websites already serve over HTTPS with a wildcard certificate for *.azurewbesites.net. Is that "free" azurewebsites.net-address also available for shared websites with custom domain(s) so I can simply redirect all "pages" that require authentication via the https://xyz.azurewebsites.net address? I'm aware that would be a cross-domain redirect which is visible to the end-user but that is not an issue since it's only a select group of users...
Yes, using the *.azurewebsites.net domain is your only option to have HTTPS without extra cost. The domain is always available, even if you use a custom domain, because it's used for a few additional services (like your repo, remote console, ...).
I am trying to consume the certificate uploaded in azure website(not webrole) in my web app using following config
<microsoft.identityModel>
<!-- Service Configuration -->
<service>
<serviceCertificate>
<certificateReference findValue="2696C50B72CB368AEB11DE3B23CD226252A1BFD" storeLocation="CurrentUser" storeName="My" x509FindType="FindByThumbprint"/>
</serviceCertificate>
<certificateValidation certificateValidationMode="None"/>
</service>
Code works fine on local system. But I am recieving error when deployed to azure website.
ID1024 The configuration property value is not valid
ID1025 Cannot find a unique certificate that matches the criteria
I then tried to browse all the certificates in my azure website(using code). But the certificate list does not contain my uploaded certificate.
Certificate is uploaded and can be seen in azure portal.
Custom domain is mapped and the uploaded certficiate is used against the domain.
But somehow my web app is unable to find the certificate. I tried all possible combination of StoreName and StoreLocation but in vain.
I think there may be some confusion on what the certificates you upload via the Configure tab for Websites are used for. Currently the certificates loaded there are ONLY used for SSL.
When looking at the little help icon next to the certificates section on the configure tab the tooltip states the following:
"This section lets you manage SSL certificates that you can bind to your custom domain names. Binding an SSL certificate to your custom domain name will allow your end users to access your site over HTTPS."
Windows Azure Web Sites exist at a process level, meaning that they can be started up on one machine but move around as the processes go up and down. If you aren't familiar with this I'd suggest reading up on how the hosting model works for Web Sites. Here is an article that covers it: Windows Azure Web Sites - A New Hosting Model for Windows Azure (full disclosure: I wrote the article).
Loading the certificate here I do not believe adds the certificate to any of the stores on the machines your web site runs on. Windows Azure would need to ensure that the cert is always on the machine the site is deployed to and since this is only at a process level and can change frequently (unless you are using standard) it doesn't make sense. The SSL certs are handled differently and as far as I know aren't really deployed to each machine.
As far as I know in order for you to load a certificate and use it you'll either need to look at a web role where loaded certs from the portal ARE placed into the store on the VM or look to see if you can load the certificate manually in code and ship the cert as content on your site (which seems a little less secure to me). I could just be overlooking an option though.