Using SSL with Windows Azure Web sites is a popular scenario, and while uploading and assigning a cert to your site is usually simple and straightforward (as discussed in our recent blog posts 1 and 2), some customers have had challenges with this when their certificate provider uses Intermediate certificates.

Intermediate certificates (also known as Chain certificates) are used by some certificate resellers, and their use is becoming more prevalent, as providers consider this to be more secure. For example, VeriSign and GoDaddy have stopped issuing unchained certificates in the past few years, and this affects providers depending on them such as Thawte and GeoTrust as well, of course.

Naturally, Windows Azure Web sites fully supports this scenario, and to get it right, you just need to be aware of the steps you need to take to get the intermediate certificate in there. The most common reason for a problem with this is when our customers try to upload the intermediate certificate itself to our servers. Another common mishap is when a customer tries to upload his certificate without including the intermediate one. In either case, this could lead to some browsers issuing an alert that the site is untrusted (for the most part, the user can still proceed, but this error is certainly alarming to many users and should be avoided).

To be clear – when a certificate provider uses the chained certificate model, you do need to upload it, but the right way to deal with it is upload both in one piece. As you may recall from our previous post on this topic, you are supposed to export your certificate to a PFX file (this is required so that the certificate includes its private key) for the purpose of the upload…and if that certificate was issued from an intermediate CA, you just need to make sure that your export includes** the intermediate certificate. To do so, make sure you check the option of Include all certificates in the certification path if possible:

Doing this will result in a slightly larger PFX file, which will include all the information our servers need to deal with the certificate. To be clear, you shouldn’t export the Intermediate certificate itself, but rather your own server certificate. When you do so and check the correct option, the export includes both certificates in the PFX file, and our servers will deal with it correctly.