(Imported from my old blog chinthanajayawardena.blogspot.com)
This is a problem I struggled for some days and I feel it’s worthwhile to share that knowledge among others.
Can’t untie all knots at once, Lets go step by step.
First I would like to provide steps how you can setup SSL for a web site manually. There is no major difference in how you should setup SSL in Azure or in a normal web server. Except for the Azure deployment package needs to have instructions on how the SSL should be setup automatically (like a installation script). Because sometimes Azure servers get restarted due to maintenance requirements (such as OS upgrades), if you don’t have the correct instructions, then it will reset the manually configured settings in the server.
What is the first requirement to make a SSL web site?
You need to have a certificate issued by an authorized SSL provider to your domain name.
If you plan to have sub domain names then you should obtain a wild card SSL certificate.
How can you obtain a SSL certificate?
Create Certificate Request
- Open IIS and select the Web Server node
- On the right side panel under IIS category you will find an icon with the name “Server Certificates”. Go to that feature.
- You will see if you have certificates in that section.
- Under the “Actions” panel, click on “Create Certificate Request”
- Complete the fields, make sure your domain name is correctly filled in “Common Name” field.
- On “Next”, you need to provide Cryptographic Service Provider Properties.
- Now the minimum requirement of the bit length has increased by most of SSL providers to 2048.
- No need to change the provider, but pick 2048 bit-length.
- On “Next”, you can provide the file path, where the certificate request will be saved.
- Then press “Finish”
- The generated file must be send to the SSL provider.
Complete the Certificate Request
- The SSL provider will send you the certificate file once your organization is verified. Sometimes they send only the certificate string so you may have to copy and paste it into notepad and save it as a .cer file.
- You will have to go to IIS again.
- Go to Server Certificates Feature -> Complete Certificate Request
- In that popup, browse and pick the file you just saved as .cer file.
- Give a friendly name to the certificate that will distinguish this certificate from other certificates installed in the server.
- Press Ok.
(You can find these steps in most of SSL providers’ web sites.)
Now you have the SSL certificate for your domain name and its been installed in the server. What’s left is to configure a HTTPS binding to your web site.That you can do in following steps,
- Select your web site node in the IIS
- Click on “Bindings” link under “Actions” panel
- Press “Add” button in the popup
- Pick the type as HTTPS
- Assign an IP Address
- Leave the port as 443
- Pick the certificate you just installed. It should be with your friendly name.
- Press “OK”
- If you want your site to work only under HTTPS, check “Require SSL” in the “SSL Settings” Feature under the web site node.
Ok!!! Then are we done with manual instructions for setting up SSL? That’s a big NO. The whole process of making your site to run under SSL is to give safeness for the users. If we try to validate the SSL for your domain name it will indicate that you are missing some intermediate certificates. So, what are we missing? These are the certificates which verifies your SSL provider. Sometimes you may find these SSL providers’ certificates are installed by default in your server. But I am referring to the scenario which does not have :-/.
You will have to go to the SSL providers web site to get these certificates. And installation instructions will be in their web site. Mostly those certificates are installed under the Local Computer ->Intermediate Certification Authorities
You can check certificate installation using certmgr tool. Or just typing “mmc” in Run command tool and adding the Certificates snap-in.
Remember there is another thing that you need to be aware of. That is these certificates can be revoked by the owner. If the SSL provider had certain certificates earlier that were been revoked lately, and now they have reissued those certificates. You will have to disable/remove all those old certificates from your certificate store.
Now I believe that you have successfully completed with setting up SSL manually.
Setup SSL in Azure package
Let’s see what you have to do in Azure, to have those instructions to be automatically configured.
You can find some information on “How to configure an SSL certificate on an HTTPs endpoint” in here “http://msdn.microsoft.com/en-us/library/windowsazure/ff795779.aspx”
Usually the certificate issued for your domain name is installed in the Local Machine-> Personal folder in the Certificate Store.
To setup the Domain certificate for the Web Role.
- Open the WebRole settings page.
- Go to the Certificates tab.
- Press “Add Certificate” button
- In the new line just got added look for the Thumbprint column.
- By pressing the “…” button you will get a popup listing certificates installed in the Certificate Store for Local Machine in the Personal Folder.
- If the domain certificate does not exist in the list you will have to install or import it to that location. If not you will have to get the thumbprint from the certificate details tab and paste it here. (to get the thumbprint you can double click the cer file and go to the Details tab, it will list the thumbprint field)
- You will have to install your SSL providers’ certificates in your development environment under the Local Machine->Personal folder in the Certificate Store.
- Once all your certificates are installed in the Personal folder, you can get them in the popup.
- First certificate would be the domain certificate, select it from the popup.
- The thumbprint automatically gets populated
- “Store Location” shall be “Local Machine”
- “Store Name” shall be “My”
- Give a proper name as you like
To Setup the SSL Providers’ Certificates
- Repeat from step 3 to 5 of the above steps
- Select the certificate
- “Store Location” shall be “Local Machine”
- “Store Name” shall be “CA”
- Give a name for the certificate
- You may repeat the above steps if the provider have more certificates.
Now your web role is ready to install all certificates. But your certificate provider may have certificates that needs to be disabled/removed.
How to use that? Use certutil command as follows in a Startup command file.
certutil -v -delstore authroot
authroot – means the non-microsoft Root CAs.
Refer to this link given below for better understanding on certificate store folder names. You can check with the SSL Provider to figure out the folder name.
Now your package is ready for deployment. But if you try to deploy you will get an error stating that the certificates in the package are not available in azure. You will have to upload all the certificates into the Azure hosted service. In order to do that, you need to have the .PFX file of the certificate, and not the .CER file.You can always create the PFX file of the domain certificate using IIS where your domain certificate is created. Follow the steps given below,
- Go to IIS -> Server Certificates
- Select the domain certificate and click “Export”
- You will have to give a location for the file to be saved and a password for the file. Then press “OK”
How to create PFX files for the SSL Provider’s certificates.
There is a way to do that. But by using PowerShell ISE, the tool may reside in C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe (Similar to command prompt tool.)
This information is taken from here. You can refer to semicolonsandcurlybraces link for more information. Special thanks to them, it motivated me to do this blog.
Execute the following code to generate the PFX file, you may change the password as you wish.
$c = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\SSL_CA.cer”)
$bytes = $c.Export(“Pfx”,”Password”)
Now you have PFX files for your certificates. Upload them to the Hosted Service you plan to deploy the package.
Few more points for your information,
If you are familiar with Azure, you may be aware of how the URL are being generated. All of them are sub domain of cloudapp.net. You will have to have a CName record pointing to the Azure production URL (Or else with IP address – an A record) with your domain name provider. So it may take a while to propagate IP address changes. If you are trying to verify the SSL Certificate installation is correct, there are tools available from Verisign, digicert and there may be more if you can search for it.
Thanks for reading. I believe this will help someone.