Using Self-Signed certificate for Web Sites on Windows Server for Hosting Service Providers
Microsoft is bringing Windows Azure Web Sites, Virtual Machines, Service Management Portal and API to Windows Server, enabling service providers to easily deliver high-density website hosting and Infrastructure as a Service scenarios in a Windows Server-based environment.
For more information regarding this exciting product, check out the document here.
One of the coolest feature for this products is SSL. Instead of using a wild card certificate for all web sites, with the Centralized Certificate Store feature introduced by IIS 8, it allows customer using their own certificate for SSL web site which exactly match their web site DNS name. This significantly brings the SSL web sites density to a higher level.
For testing/development purpose, you may want to use self-signed certificates. This article talks about how to use self-signed certificates on Web Sites on Windows Server for Hosting Service Providers.
At first, I tried using the powershell cmdlet “new-selfsignedcertificate”, and can’t make it work. Then, I follow this article and it works perfectly.
Here are the steps.
Create Root Authority
makecert -n "CN=MyTestCA" -r -sv TempCA.pvk MyTestCA.cer
- It will pop up dialog box to ask you to provide the password for the private key. Please remember that.
- 2 files will be generated: MyTestCA.pvk and MyTestCA.cer
Install the Root Certificate
Install the root certificate MyTestCA.cer to the trusted Root Certification Authorities Store (Local Computer Store) on follow roles:
- Sites RestAPI
- Sites Frontend
- Client machines used for testing/developement
Generate the Server Certificate
Run follow command to generate the server certificate used for your web site. For example, if your site name is www.test.com, then the command is:
makecert -pe -iv MyTestCA.pvk -n "CN=www.test.com" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -ic MyTestCA.cer www.test.com.cer
Export the Server Certificate
The www.test.com.cer generated by above command can’t be used since it doesn’t contains private key. We need to export the key. You can either using the certificate MMC (Local Computer Store) or using follow command (certmgr is a command contains in Windows SDK):
certmgr -c -s -r localMachine MY
Now, you get a certificate named .pfx with private key and protected by password.
Enable Self-Signed Certificate
Before using the self-signed certificate, we have to change the host configure to allow self-signed certificate.
- Logon to the controller role using admin
- Open powershell console and run follow command
o Add-PsSnapin WebHostingSnapin
o Set-hostingconfiguration –AllowSelfsignedCertificates $true
Upload the Certificate
Finally, you can upload and use your own self-signed certificate on the tenant portal.
- Log on to the tenant portal
- Click the site name you want to upload certificate
- Click the “CERTIFICATES” on the top-right
- Click “UPLOAD CERTIFICATE” in the middle-bottom and follow the instructions
Now, open IE and browse to your site using HTTPS, you should see the uploaded self-signed certificate is used.
See you next time,
Wei from APGC DSI Team
Comments
- Anonymous
July 30, 2013
What is the Windows Server 2012/PowerShell 3 equivilent?