Saturday, October 15, 2011

Setting up secure windows azure web role with GoDaddy ssl certificate

For the current project I am working on I am using Windows Azure as the platform and I need to figure out how to setup SSL for the web apps I am deploying to Windows Azure. The documentations online are sparse and fragmented. All the information I am providing here are available somewhere but they are not all together in one place.

Now, the reason for this article, you need to create a certificate file with private key for import but the SSL certs from GoDaddy are chained and you don't have the private key for the chained certificates.  From my research Versign certificates will work without issue when uploaded to Windows Azure, but very few people got GoDaddy's certificates to work properly.  However Versign certificates cost way more than $12.99 (Google for discount) per year, so hopefully this article will save you some money.

To setup https on Windows Azure you need to create a certificate file with private key and embed the chained certificates so you can upload them to Windows Azure. There are many ways to setup the SSL certificate and export it for use later but I have only found one way to correctly install and export the SSL certificate so that it contains the chained certificates as well. I am sure the steps here apply for other vendors but GoDaddy is the only one I tested with so I am putting that down as pre-condition.

This article assume you are doing the following:
  • you know how to manage your domain and sub-domain with your domain registrar
  • you purchased an SSL certificate from GoDaddy
  • you are building .Net web applications with Visual Studio
  • you are using Azure web role to host your web application
solution layout
The first step is to create a dummy project and get it running locally. Since we are only discussing setting up SSL your test app should contain no access to database or external resources just to minimize places where your app might fail, if you have something that's ready deployed to Windows Azure and it works then you can use that as well. I am going to reuse the Html5 project I created for another article. In the same solution where your sample web project is, simply create a Windows Azure project. After the Windows Azure project has been created, right click on the Roles folder and select Add->Web Role Project in Solution. If you don't have an existing project to work with simply create a new one right now.

Once you have the project up and running locally then you are ready to deploy it to Azure.  We want to make sure the non secure version works first before we move on with the main part of the article to eliminate any issues that's not related to SSL certificates. Log onto Windows Azure management portal to create a new hosted service and a production deployment of the sample project we have created earlier. Once the deployment is ready navigate to Verify that your web role is running correctly and fix any issues that have popped up.

Next we will setup our custom domain to redirect to Azure web role.

For setup with sub-domain:
 In the DNS manager add a CNAME for sub with value of

For setup without sub-domain: In your DNS manager, add a CNAME for www with value of I also had to create an A record for @ with value of for the domain to work not sure why, you could google it if you are really curious. *You can skip the next step and go on to the next paragraph if you are using sub domain. Once you have the DNS records setup go back to Domain Manger and click on Forward->"Forward Domain" from the tool bar and forward to Verify points to Azure web role you have setup previously and fix any issues you encounter.

You can view the result for my setup at Azure generated URL vs custom domain

Now we need to generate an ssl certificate for, if you are using, SSL certificate for will work just fine, you don't need to create a separate certificate for However if you want to use sub-domain you will need to get an ssl cert for GoDaddy has instruction on how to generate and install SSL certificate on your IIS server, but I will go through it here again so you don't have to read that article. Start IIS manager and double click on Server Certificate feature. In the Action panel on the right, select "Create Certificate Request ...".  In the popup dialog enter your domain name in the "Common name" field.  The rest of fields doesn't matter too much if you are using standard ssl so enter whatever information you think is appropriate.  On the next screen make sure you select "Microsoft RSA SChannel Cryptographic Provider" and Bit Length of 2048.  Save the result somewhere.

Next log into your GoDaddy account and navigate to Secure Certificate Services, select an unused credit and request a certificate. Copy the CSR content from the saved file and paste it into the input box. I selected Starfield Technologies as Certificate Issuing Organization, you may do the same if you want to follow the rest of this guide closely.  Wait a few hours and check back, your SSL should be ready. Download the certificate for IIS 7 and make sure to check include the intermediate certificates box.

Now we are ready to install the certificates, first we will install the intermediate certificates. Start Microsoft Management Console by type in mmc in the run box on the Start menu. Select File->"Add/Remove Snap-ins", then select Certificates and Add. Pick "Computer account" option in the popup box, then on the next screen with "Local computer" selected, click Finish button then Ok button. In the tree view on the left navigate to "Certificates/Intermediate Certification Authorities/Certificates". Right click->All Task->Import and import "sf_iis_intermediates.p7b" (you might have "sf_bundle.crt" if you downloaded SSL for other server option). Make sure to read through the next part before proceeding.

What we want to do next is install the SSL certificate through IIS, take note that we are not importing the SSL certificate using mmc, if you do that you cannot export the certificate with private key. Start IIS manager as administrator and select your local machine in the tree view on the left then double click on Server Certificates feature. On the right hand side is Action panel click on "Complete Certificate Request ..." and browse to your SSL certificate, this is the other certificate that was not installed in the earlier step. You might need to change the file extensions in the open file dialog because GoDaddy's certificate file is saved as *.crt while the open file dialog is defaulted to *.cer. Now you should see your SSL certificates installed in IIS manager, go back to mmc and check under "Certificates/Personal/Certificates". You should see your SSL certificate listed there, refresh if you don't see it. if that doesn't work the SSL certificate was not installed correctly; Google online for more help.

So after all that we are finally ready to export the certificates and upload to Windows Azure. In the mmc find the SSL certificate and right click->All Tasks->Export. Make sure you export through mmc, IIS export doesn't export the complete certificate chain correctly and you cannot export the intermediate certificates any other way since you don't have their private keys. Click Next on the Welcome screen and in the Private Key screen make sure to have "Yes, export the private key" selected then click Next. In the Export File Format screen select "Personal Information Exchange", check "Include all certificates in certification path if possible" and "Export all extended property" options then click Next. Enter a password and click Next, then select where you want to export the certificates to. Once the export is done you are ready to upload it to Windows Azure.

Go back to Windows Azure management console and find the host service we created earlier, there should be a certificates folder under the host. Right click on that folder and pick "Add Certificate" option; point it to the certificate file we just exported and enter the password and ok. Once the import is done you should see three certificates, this is important if any of the certificates is missing most browser will not validate your SSL certificate and your site is not shown as secure even if the communication is protected. We upload the certificates first before setting up the web role because it makes the next step slightly easier. Don't close the Windows Azure management console, start up visual studio and open your project.

All three certificates

Find your web role and bring up the property view by double click on the web role. Select Certificate tab and Add a new certificate. Name it, select LocalMachine for Store Location and My for Store Name.  Now go back to Azure console and select certificate in the properties panel to the right find the Thumbprint property and copy it's value. Back to visual studio and paste the thumbprint value we just copied into Thumbprint field. Repeat the process for the other two certificates but set Store Name to Trust.

Add certificate with thumbprint value
Next click Endpoints tab in the project property view and add a new end point for https and select certificate as ssl certificate.

Finally, create a new Azure package and upgrade the existing deployment on Windows Azure portal. If you have done everything correctly up to this point the new package should upload without any error.  Once the update is complete you can now test to see if your certificates are installed correctly by navigate to  The site should load without any error, if the browser put up a warning screen about site not trusted or cannot verify site SSL then you will have to search around to figure out what went wrong.  Take a look at my https results.

Disclaimer: the ssl certificate is good for a year and I don't plan on renew it so if you visit the site after 2013/07/11 the certificate will not be valid (but you can go get a free Slurpee).  Also I might take down the site later when I need to free Azure computing credit for something else.  Here is a screenshot showing the end result.

Black Magic