Obtaining a Certificate for use with Windows Azure Web Sites (WAWS)

With the increase in cybercrime in recent years, securing your website with SSL is becoming a highly sought-after feature, and Windows Azure Web Sites provides support for it. To use it, you need to upload your certificate to Azure, and assign it to your site. Getting a certificate can be challenging, because the process involves several steps. In this guide we will describe the following ways to obtain a certificate:

  1. Using DigiCert’s certificate utility
  2. Using CertReq
  3. Using IIS

Background

The process of generating a certificate is comprised of two parts. First, the user creates a Certificate Signing Request, which is a textual file containing the details of the request. The user gives this file to his certificate provider of choice, and in return, gets a Certificate Response file, which he then installs on his server to complete the process and have a full certificate. To use this with your Windows Azure Web Sites, there’s a 3rd part where you export the certificate to a PFX file, which you can upload to your Azure account.

Most server products have some built in mechanism to generate the CSR files and process the Certificate Response file. In IIS, for example, this is a button on Actions pane:

4645.obtaining1.jpg-550x0

If you are a seasoned IIS administrator and have a server at your disposal, this is all pretty simple and straight forward. If not, this guide offers two other ways to do this.

Note: In all the following procedures, all 3 parts must be performed on the same computer. The reason for this is that the CSR request generates a private encryption/decryption key that is unique to this computer. If you try to complete the process on another computer, the Certificate Response would have no key to match, and will fail.

Create a CSR using DigiCert’s Certificate Utility

DigiCert’s Certificate Utility is a 3rd party tool that was designed to make the process of generating a CSR easier by providing a simple graphic user interface for the process. This is by far the easiest way to do this, but the DigiCert Certificate Utility is not a Microsoft tool, and it is not supported by Microsoft. You can download the tool here. This tool can be used with any certificate provider. The steps are:

  • Run the utility and click Create CSR on the top-right corner:
0284.Obtaining2.jpg-550x0
  • Type in the URL for your website, and the other details.
  • Select the key length. Note that Microsoft recommends a key length of 2048 bit
  • Click Generate and receive the CSR code:

6403.obtaining3.png-550x0

  • Use the resulting CSR code to purchase your certificate. Most providers will ask you to paste the text into their web page, while others may require you to save it to a file and upload it to their website. In return, they will provide you with a file carrying the .CER extension. Save this file on the computer you performed the CSR request on.
  • To complete the process, click Import on the top-right corner of the DigiCert utility, and navigate to the .CER file you received from your certificate provider. ***
  • Once this has completed, you will see the new cert in the tool. Click on it, and click Export Certificate on the bottom of the certificate list screen:
8105.obtaining4.jpg-550x0
  • Select to export the private key, and to export to a PFX file, which you can use with Azure Web Sites. Set a password for the export, which you will use later when uploading it to Azure:
1145.obtaining5.jpg-550x0

*** Some certificate providers might provide the certificate in a format that is not compatible with DigiCert’s utility. If the import does not succeed, you can use the utility described next to complete the process – follow step 5 in the next section to do this.

Create a CSR using the command-line tool CertReq

CertReq is a tool that is built into any modern version of the Windows operating system. It is designed to take a simple text file with some parameters, and produce a CSR file that you can send to your certificate provider. Once the provider has returned a CER file, you can use CertReq to complete the request. At that point, you can use the Windows Certificate Management console to export the certificate into the PFX format that Windows Azure Web Sites uses. Here are the steps for this:

  • Create an input file for CertReq. This is a simple text file that contains some details about your certificate. The most important one is the Subject Name, which would need to match the URL of the site you intend to use the certificate for. The following sample is a standard request, but if you like, you can read the documentation of CertReq and adjust the parameters to match your needs.
6835.bbbb.JPG-550x0

Adjust the highlighted portion to your site’s address. For example, if your site is going to be https://www.contoso.com, then the line would be:

Subject = “CN=www.contoso.com”

You can also adjust other properties of the request, but this is an advanced task. Visit this page for details about other options you can configure for CertReq.

  • Save the file on your hard drive as a text file, and then open a CMD window and navigate to where you saved the file.
  • Type the command CertReq –new MyRequest.txt MyRequest.csr, where MyRequest.txt is the name of the file you saved in the previous step, and MyRequest.csr is a target file name that will be created:
0878.obtaining6.jpg-550x0
  • Use the resulting MyRequest.csr file to purchase your certificate. Most providers will ask you to upload the file to their servers. Some providers might ask you to paste the content of the file into their web page (you can open the file in Notepad). In return, the provider will give you a file carrying the .CER extension. Copy this file to the computer you performed the CSR request on.
  • In a CMD window, navigate to where you stored the .CER file, and type CertReq –accept –user MyCertificate.cer.
7522.obtaining7.jpg-550x0
  • Open your certificate management console by pressing the Windows+R  key combination and typing certmgr.msc and then Enter
4212.obtaining8.jpg-550x0
  • In the certificate manager, navigate to Personal/Certificates. Your new certificate should be there:
1830.obtaining9.jpg-550x0
  • Right-click on the certificate and choose All Tasks/Export
  • In the wizard, select YES to export the private key, and on the next page, Personal Information Exchange – PKCS #12:
7065.obtaining10.jpg-550x0
  • On the next page, enable the password option, and type in a password of your choice. You will use it later when uploading the certificate. On the next page, type in a target path and name for the exported file:
7041.obtaining11.jpg-550x0
  • That’s it – the new PFX file can be uploaded to your account in Azure and used with your websites.

Create a CSR using IIS

If you have an IIS Server at your disposal, you can use it to generate the certificate. If you don’t, you can easily install it on any computer running Windows (Server or Client). The steps are:

  • Install IIS on the computer you wish to do this on.
  • Open the IIS management console
  • Click on your computer name on the left, then on Server Certificate in the middle, and then on Create Certificate Request on the right action pane:
5280.obtaining12.jpg-550x0
  • In the wizard, fill in the target URL for the site (without the HTTPS:// prefix) and the other details. Note that Microsoft recommends a key length of 2048 bit:
3113.obtaining13.jpg-550x0
  • Complete the wizard and use the resulting CSR file to purchase your certificate. Most providers will ask you to upload the file to their servers. Some providers might ask you to paste the content of the file into their web page (you can open the file in Notepad). In return, the provider will give you a file carrying the .CER extension. Copy this file to the computer you performed the CSR request on.
  • In the IIS console, click Complete Certificate Request in the action pane.
1033.obtaining14.jpg-300x0
  • Follow steps 6 through 11 in the previous section to export the certificate to a PFX file, which you can use with Azure Web Sites.

Next steps

Now that you have a certificate in the form of a PFX file, you can upload it to your Azure account and use it with web sites and other services. Visit this article for further information about this process. In some situations, your certificate needs might be different. For example, if you want to use a SAN certificate, or a self-signed certificate, the process for getting those are different. You can read about those here.