In Windows Azure Cloud Service, you will need a X.509 certificate to enable SSL for your site and RDP for your role instances. For test purposes, you may just want to generate a self-signed certificate instead of getting one from a Certificate Authority (CA). In the post, I will walk through how to generate and apply a self-signed certificate to a Cloud Service.
To create you own self-signed certificate, you can open a Visual Studio command prompt as an administrator and run the makecert command to create a certificate. You need to replace with a name you want to your certificate to be called:
For example, the following command will create a certificate name as schen.cloudapp.net.
The makecert command will add the self-signed certificate to the Personal certificate store automatically. You can open CertMgr.msc to view the certificate in the Personal certificate store.
Before you can use it in the Cloud Service, you will need to export the certificate to a pfx format including the private key. In the Certificate Manager Tool, right click the certificate and select All Tasks > Export.
Follow the Certificate Export Wizard and make sure to select Yes, export the private key option.
You can take the default settings in the Export File Format screen.
You will need to select the Password option and set the password to protect the exported file. You will need to type the password when you import it to the Cloud Service.
Go to the Cloud Service you want to apply the certificate in Windows Azure Portal.
On the CERTIFICATES section, click the UPLOAD on the bottom of the screen to start the importing process. You will need to locate your exported file, the one with pfx extension, and provide the password you set.
The certificate should be uploaded and imported to the Cloud Service shortly. Make a note of the Thumbprint of the certificate. You will need it when you adjust your Cloud Service application in Visual Studio.
In the Virtual Studio, right click the Properties of the role in your Cloud Service project and go to Certificates section. You will be able to add the certificate you uploaded to the Cloud Service in Windows Azure there. In my screen shot, I have two entries. The Certificate 1 was the one I added. The Microsoft.Windows… one was added when I enabled RDP to role instances during the publishing process. You will need to provide the Thumbprint which was captured after you uploaded the certificate. Make sure the Thumbprint all capital letters without any spaces or hyphen. The Name of the certificate is an arbitrary name that helps you identity the certificate.
You will need to add an endpoint in the Endpoints section to associate with the certificate to enable SSL. The SSL Certificate Name is the name you set in the Certificates section. The Name is the arbitrary name that helps you identify the endpoint. Make sure to set the Protocol to https. The Public Port is the external port that users will access the site. For SSL, it is usually set to 443 but feel free to use a different port for your requirements.
You will also need to select HTTPS endpoint to enable HTTPS in the Configuration section.
The last step is to publish your cloud service application to Windows Azure.
In the Publish Settings screen, you may want to select Enable Remote Desktop for all roles option to enable RDP access to your role instances that are provisioned for your Cloud Service. If you enable RDP access, you will need to set the user name and password to connect to your role instances. You can use the same certificate to encrypt your user credentials.
Once your Cloud Service application is published, you should be able to access the site with HTTPS and RDP into the role instances with the credential you set.
You will see a warning while accessing the site in the browser because it is a self-signed certificate. If you want to get rid of the warning, you will need to make sure the Certificate Name matches the site DNS and you also need to install the certificate to Trusted Root Certification in your Certification Manager Tool.
If you don’t like to prefer to modify the service definition and configuration files directly, you can refer to Configuring SSL for an application in Windows Azure.