I recently read an article written by Jeff Atwood on Coding Horror about whether we should encrypt all the traffic to our websites. I have a website which is utilizing external accounts with the help of .NET Identity, hence I must use HTTPs for my site before enabling users to login with their Facebook or Google accounts.
Purchase SSL Certificate from RapidSSL
My website is .NET web application with MVC 5 as front-end. It is also being hosted on Azure Cloud Service. For SSL certificate, I got it from RapidSSL.
Previously when I renewed the certificate for web application hosted on virtual machine, I could easily RDP to the virtual machine to configure its IIS settings. Now, the way to do it for Azure Cloud Service on the Azure Management Portal is a bit different.
Enter Certificate Signing Request (CSR)
In the process of purchasing SSL certificate on RapidSSL, I needed to submit CSR. To generate a CSR, what I did is just launching the IIS Manager on my Windows 8.1 machine. The process is pretty straightforward, as demonstrated on DigiCert website. The steps are as follows.
- Double click on “Server Certificates” feature of the local server;
- Under the “Action” panel, choose “Create Certificate Request…” link;
- Then there would be a window called “Distinguished Name Properties” popped out;
- Key in the correct information about the Common Name (which is the domain name of my website) and organization in the window;
- Choose “Microsoft RSA SChannel Cryptographic Provider” as the cryptographic service provider;
- Input “2048” as bit length.
CSR was generated successfully. I copied the generated text to RapidSSL textbox to continue the purchase.
Install SSL Certificate
After my payment went through, I received the certificate in text format via email from RapidSSL as shown below.
Web Server CERTIFICATE ---------------- -----BEGIN CERTIFICATE----- <encoded data> -----END CERTIFICATE-----
I then copied it to a text file and saved the file with the .cer extension.
Then, I went back to the IIS Manager on my computer. In the same Actions panel where I created the CSR, I then chose another option “Complete Certificate Request…”. In the new window, I provided the .cer file generated earlier.
Update Service Definition File
After that, in the Visual Studio Solution Window of my web project, I added a <Certificates> section, a new <InputEndpoint> for HTTPS, and a <Binding> element to map the HTTPS endpoint to my website within the WebRole section in the ServiceDefinition.csdef file.
<WebRole name="MyWebsiteWeb" vmsize="Medium"> <Sites> <Site name="Web"> <Binding> ... <Binding name="HTTPSEndpoint" endpointName="EndpointS" /> </Bindings> </Site> </Sites> <Endpoints> ... <InputEndpoint name="EndpointS" protocol="https" port="443" certificate="SampleCertificate" /> </Endpoints> ... <Certificates> <Certificate name="SampleCertificate" storeLocation="CurrentUser" storeName="My" /> </Certificates> </WebRole>
Update Service Configuration File
In addition, I edited the ServiceConfiguration.Cloud.cscfg file with one new <Certificates> section in the Role section.
<Role name="MyWebsiteWeb"> ... <Certificates> ... <Certificate name="SampleCertificate" thumbprint="xxxxxx" thumbprintAlgorithm="xxx" /> </Certificates> </Role>
Both the thumbprint and thumbprintAlgorithm can be retrieved by double clicking on the .cer file.
Export Certificate as .pfx File
When I uploaded .cer file to Azure Management Portal, it couldn’t work. I had no idea why. Hence, I tried the alternative, which is using .pfx file. To do that, I first exported the certificate as .pfx file.
Firstly, I launched the Microsoft Management Console by running mmc.exe.
Secondly, I did the following steps to trigger the Certificate Export Wizard.
- File > Add/Remove Snap-in…
- Choose “Certificate” under “Available snap-ins” and then click “Add >”
- In the popup “Certificates snap-in” window, choose “Computer account”
- With the previous choice, I make snap-in to always manage in “Local computer”
- After clicking on the “Finish” button, I then click on the “Certificates” folder under “Personal” folder under “Certificates (Local Computer)” under the “Console Root”
- Right-click on the certificate that I want to export and choose export
- Finally the “Certificate Export Wizard” appears!
Finally, in the wizard, I followed the following steps to create a .pfx file of the certificate.
- Choose to export private key with the certificate
- Format will be Personal Information Exchange – PKCS #12 with all certificates in the certification path is included, if possible
- Enter a password to protect the private key
More detailed instructions can be found online, for example a page on Thawte about export a certificate from Microsoft IIS 7.
Upload Certificate to Azure
I then uploaded it to Microsoft Azure. It’s very simple. Just choose the cloud service and then upload the .pfx file (and enter the password used earlier for protecting the private key) to the certificate collection of the cloud service.
That’s all. It’s pretty straightforward, isn’t it?
If you would like to read more about Azure Cloud Service and SSL, please read the following articles which I find to be very useful.
- Configuring SSL for an application in Azure
- Windows Azure, SSL, Self-Signed Certificate and Annoying HTTPS Input Endpoint Does Not Contain Private Key Error