Adding an HTTPS Endpoint to a Windows Azure Cloud Service

[Update: With the November 2009 release of the Windows Azure Tools - this post is now obsolete - an updated post is available here]

Lately there has been a couple of threads on the forum and some internal email around setting up an https endpoint on a Windows Azure Cloud Service.

A good starting point is this article, but there are some common issues that people run into that I wanted to talk about.

First are the cert requirements. 

  • The certificate must contain a private key that is marked exportable
  • The certificate must have the Server Authentication Intended Purpose

When running on the Development Fabric, the certificate also needs to be self-signed – this is to prevent any security issues around leaking the private key of a real certificate.

Let’s walkthrough the steps to trying an https endpoint on the Development Fabric:

1) open the ServiceDefinition.csdef file in the CloudService project in Visual Studio and add a second InputEndpoint to the WebRole:

   <WebRole name="WebRole">
    <InputEndpoints>
      <InputEndpoint name="HttpIn" protocol="http" port="80" />
      <InputEndpoint name="HttpsIn" protocol="https" port="443" />
    </InputEndpoints>
  </WebRole>

2) If you have a self-signed certificate that meets the requirements above, you can skip ahead to step 9.  Otherwise, let’s use the IIS manager to create a self-signed certificate

3) Open the IIS Manager and select “Server Certifiates”

image

4) On the right side under “Actions”, select “Create Self-Signed Certificate…”

image

5) Follow the steps in the IIS Manager and you’ll have a new self-signed cert that supports Server Authentication and has an exportable private key.

6) The newly created cert will be put in the Personal store in the Local Computer location. Windows Azure Tools (including cspack) look for the certs in the Personal store in the Current User location (we needed to settle on a location and didn’t want it to be one that requires admin elevation).

7) To move the certs to the Current User location, you can run mmc, add the Certificates snap-in for both “My User Account” and “Computer Account” and drag and drop the certificates to the Personal store in the Current User location.  Alternatively, you can export and import.

8) If you ever export/import the cert, make sure you export the private key and on import mark the key as exportable:

image

9) Right click on the Cloud Service project in the VS Solution Explorer and click “Properties”.  Click on the SSL tab and check to Enable SSL Connections under Development and click “Select from Store…”. 

image

10) Select your certificate.  Hit F5 to run.

11) Navigate to the https endpoint -- the browser will complain as expected because you are using a self-signed certificate:

 image

12) To see the actual ports that were used for your service, you can bring up the Development Fabric UI (right click on the Development Fabric tray icon) and click on the Service Details for your Deployment:

image

13) When you are ready to publish to the real cloud, use the SSL Cloud Service settings to select a certificate for Publish – this is the certificate that is used when publishing for deployment.

Troubleshooting

  • If you see the error “Role start failed for one or more roles” when specifying an https endpoint, most likely this is because you are trying to use a certificate that does not have an exportable private key.
  • If you see the error “can't locate service descriptions”, most likely this is because you attempted to use a non self-signed certificate when running on the Development Fabric.

Comments

  • Anonymous
    May 12, 2009
    PingBack from http://asp-net-hosting.simplynetdev.com/adding-an-https-endpoint-to-a-windows-azure-cloud-service/

  • Anonymous
    May 12, 2009
    Thank you for submitting this cool story - Trackback from DotNetShoutout

  • Anonymous
    May 12, 2009
    Here's a helpful walkthrough on how to add an https endpoint to a Windows Azure Cloud Service. [Fixed

  • Anonymous
    May 23, 2009
    Jim, this was really helpful. I've got a little addition that might be of help to anyone who wants to simulate this working but not get the warning about the certificate not matching the certificate (during testing): if you modify your hosts file to map 127.0.0.1 to the name of the self-signed certificate you won't get a certificate warning (on your local machine). Please do note that a) be careful with this - if you forget you did this you'll eventually be sorry so "handle with care"; b) this will only work if you redirect your page on launch to the new name; and c) this is obviously not going to work up in the Azure fabric - however you're going to want a real certificate for that anyway! Regards, Dave Remmer

  • Anonymous
    November 24, 2009
    Great post! I have tried implementing this on the cloud, and I noticed there are a couple of steps before deploying the solution (deploy the certificates etc.) http://blogs.msdn.com/davethompson/archive/2009/11/24/add-ssl-security-to-your-azure-webrole.aspx are there any thoughts about deploying the certificates along with the cspkg?

  • Anonymous
    November 25, 2009
    Thanks DaveT, great post. With the November release, you can no longer deploy the certificates with the cspkg. In other words, this post is now obsolete and will be updated with the new mechanism (similar to your post in fact)

  • Anonymous
    November 27, 2009
    thanks jnak, I noticed that there was a way of doing it with the previous sdk, I thought I may have been missing something.  Good to have confimation.