Generating a Self-Signed Certificate for Windows Azure Cloud Service

In Windows Azure Cloud Service, you will need a X.509 certificate to enable SSL for your site and RDP for your role instances. For test purposes, you may just want to generate a self-signed certificate instead of getting one from a Certificate Authority (CA).  In the post, I will walk through how to generate and apply a self-signed certificate to a Cloud Service.

To create you own self-signed certificate, you can open a Visual Studio command prompt as an administrator and run the makecert command to create a certificate. You need to replace with a name you want to your certificate to be called:

For example, the following command will create a certificate name as

The makecert command will add the self-signed certificate to the Personal certificate store automatically. You can open CertMgr.msc to view the certificate in the Personal certificate store.


Before you can use it in the Cloud Service, you will need to export the certificate to a pfx format including the private key. In the Certificate Manager Tool, right click the certificate and select All Tasks > Export.


Follow the Certificate Export Wizard and make sure to select Yes, export the private key option.

export private key

You can take the default settings in the Export File Format screen.

export file format

You will need to select the Password option and set the password to protect the exported file. You will need to type the password when you import it to the Cloud Service.


In the File to Export screen, provide where you want to save the exported certificate in file to export

Click Finish on the confirmation screen to export the certificate.completing

Go to the Cloud Service you want to apply the certificate in Windows Azure Portal.

cloud service

On the CERTIFICATES section, click the UPLOAD on the bottom of the screen to start the importing process.  You will need to locate your exported file, the one with pfx extension, and  provide the password you set.

upload certificate

The certificate should be uploaded and imported to the Cloud Service shortly. Make a note of the Thumbprint of the certificate. You will need it when you adjust your Cloud Service application in Visual Studio.

cert uploaded

In the Virtual Studio, right click the Properties of the role in your Cloud Service project and  go to Certificates section. You will be able to add the certificate you uploaded to the Cloud Service in Windows Azure there. In my screen shot, I have two entries. The Certificate 1 was the one I added. The Microsoft.Windows… one was added when I enabled RDP to role instances during the publishing process.  You will need to provide the Thumbprint which was captured after you uploaded the certificate. Make sure the Thumbprint all capital letters without any spaces or hyphen. The Name of the certificate is an arbitrary name that helps you identity the certificate.

role properites

You will need to add an endpoint in the Endpoints section to associate with the certificate to enable SSL. The SSL Certificate Name is the name you set in the Certificates section.  The Name is the arbitrary name that helps you identify the endpoint. Make sure to set the Protocol to https. The Public Port is the external port that users will access the site. For SSL, it is usually set to 443 but feel free to use a different port for your requirements.


You will also need to select HTTPS endpoint to enable HTTPS in the Configuration section.


The last step is to publish your cloud service application to Windows Azure.


In the Publish Settings screen, you may want to select Enable Remote Desktop for all roles option to enable RDP access to your role instances that are provisioned for your Cloud Service. If you enable RDP access, you will need to set the user name and password  to connect to your role instances. You can use the same certificate to encrypt your user credentials.

publish settings

Once your Cloud Service application is published, you should be able to access the site with HTTPS and RDP into the role instances with the credential you set.

deployment complete

You will see a warning while accessing the site in the browser because it is a self-signed certificate. If you want to get rid of the warning, you will need to make sure the Certificate Name matches the site DNS and you also need to install the certificate to Trusted Root Certification in your Certification Manager Tool.


If you don’t like to prefer to modify the service definition and configuration files directly, you  can refer to Configuring SSL for an application in Windows Azure.

This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink.

2 Responses to Generating a Self-Signed Certificate for Windows Azure Cloud Service

  1. Manu Jacob says:

    Great article and it worked with the exact same steps. Thanks

  2. Srihari says:

    This article is really great! Found it really handy!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s