Deploying an SSL Application to Windows Azure – The Dark Secret
- by ToStringTheory
When working on an application that had been in production for some time, but was about to have a shopping cart added to it, the necessity for SSL certificates came up. When ordering the certificates through the vendor, the certificate signing request (CSR) was generated through the providers (http://register.com) web interface, and within a day, we had our certificate. At first, I thought that the certification process would be the hard part… Little did I know that my fun was just beginning… The Problem I’ll be honest, I had never really secured a site before with SSL. This was a learning experience for me in the first place, but little did I know that I would be learning more than the simple procedure. I understood a bit about SSL already, the mechanisms in how it works – the secure handshake, CA’s, chains, etc… What I didn’t realize was the importance of the CSR in the whole process. Apparently, when the CSR is created, a public key is created at the same time, as well as a private key that is stored locally on the PC that generated the request. When the certificate comes back and you import it back into IIS (assuming you used IIS to generate the CSR), all of the information is combined together and the SSL certificate is added into your store. Since at the time the certificate had been ordered for our site, the selection to use the online interface to generate the CSR was chosen, the certificate came back to us in 5 separate files: A root certificate – (*.crt file) An intermediate certifcate – (*.crt file) Another intermediate certificate – (*.crt file) The SSL certificate for our site – (*.crt file) The private key for our certificate – (*.key file) Well, in case you don’t know much about Windows Azure and SSL certificates, the first thing you should learn is that certificates can only be uploaded to Azure if they are in a PFX package – securable by a password. Also, in the case of our SSL certificate, you need to include the Private Key with the file. As you can see, we didn’t have a PFX file to upload. If you don’t get the simple PFX from your hosting provider, but rather the multiple files, you will soon find out that the process has turned from something that should be simple – to one that borders on a circle of hell… Probably between the fifth and seventh somewhere… The Solution The solution is to take the files that make up the certificates chain and key, and combine them into a file that can be imported into your local computers store, as well as uploaded to Windows Azure. I can not take the credit for this information, as I simply researched a while before finding out how to do this. Download the OpenSSL for Windows toolkit (Win32 OpenSSL v1.0.1c) Install the OpenSSL for Windows toolkit Download and move all of your certificate files to an easily accessible location (you'll be pointing to them in the command prompt, so I put them in a subdirectory of the OpenSSL installation) Open a command prompt Navigate to the folder where you installed OpenSSL Run the following command: openssl pkcs12 -export –out {outcert.pfx} –inkey {keyfile.key} –in {sslcert.crt} –certfile {ca1.crt} –certfile (ca2.crt)
From this command, you will get a file, outcert.pfx, with the sum total of your ssl certificate (sslcert.crt), private key {keyfile.key}, and as many CA/chain files as you need {ca1.crt, ca2.crt}.
Taking this file, you can then import it into your own IIS in one operation, instead of importing each certificate individually. You can also upload the PFX to Azure, and once you add the SSL certificate links to the cloud project in Visual Studio, your good to go!
Conclusion
When I first looked around for a solution to this problem, there were not many places online that had the information that I was looking for. While what I ended up having to do may seem obvious, it isn’t for everyone, and I hope that this can at least help one developer out there solve the problem without hours of work!
