Now, the reason for this article, you need to create a certificate file with private key for import but the SSL certs from GoDaddy are chained and you don't have the private key for the chained certificates. From my research Versign certificates will work without issue when uploaded to Windows Azure, but very few people got GoDaddy's certificates to work properly. However Versign certificates cost way more than $12.99 (Google for discount) per year, so hopefully this article will save you some money.
To setup https on Windows Azure you need to create a certificate file with private key and embed the chained certificates so you can upload them to Windows Azure. There are many ways to setup the SSL certificate and export it for use later but I have only found one way to correctly install and export the SSL certificate so that it contains the chained certificates as well. I am sure the steps here apply for other vendors but GoDaddy is the only one I tested with so I am putting that down as pre-condition.
This article assume you are doing the following:
- you know how to manage your domain and sub-domain with your domain registrar
- you purchased an SSL certificate from GoDaddy
- you are building .Net web applications with Visual Studio
- you are using Azure web role to host your web application
Once you have the project up and running locally then you are ready to deploy it to Azure. We want to make sure the non secure version works first before we move on with the main part of the article to eliminate any issues that's not related to SSL certificates. Log onto Windows Azure management portal to create a new hosted service and a production deployment of the sample project we have created earlier. Once the deployment is ready navigate to your-host.cloudapp.net. Verify that your web role is running correctly and fix any issues that have popped up.
Next we will setup our custom domain to redirect to Azure web role.
For setup with sub-domain: In the DNS manager add a CNAME for sub with value of your-host.cloudapp.net.
For setup without sub-domain: In your DNS manager, add a CNAME for www with value of your-host.cloudapp.net. I also had to create an A record for @ with value of 127.0.0.1 for the domain to work not sure why, you could google it if you are really curious. *You can skip the next step and go on to the next paragraph if you are using sub domain. Once you have the DNS records setup go back to Domain Manger and click on Forward->"Forward Domain" from the tool bar and forward your-domain.com to www.your-domain.com. Verify www.your-domain.com points to Azure web role you have setup previously and fix any issues you encounter.
You can view the result for my setup at Azure generated URL vs custom domain
Now we need to generate an ssl certificate for your-domain.com, if you are using www.your-domain.com, SSL certificate for your-domain.com will work just fine, you don't need to create a separate certificate for www.your-domain.com. However if you want to use sub-domain you will need to get an ssl cert for sub.your-domain.com. GoDaddy has instruction on how to generate and install SSL certificate on your IIS server, but I will go through it here again so you don't have to read that article. Start IIS manager and double click on Server Certificate feature. In the Action panel on the right, select "Create Certificate Request ...". In the popup dialog enter your domain name in the "Common name" field. The rest of fields doesn't matter too much if you are using standard ssl so enter whatever information you think is appropriate. On the next screen make sure you select "Microsoft RSA SChannel Cryptographic Provider" and Bit Length of 2048. Save the result somewhere.
Next log into your GoDaddy account and navigate to Secure Certificate Services, select an unused credit and request a certificate. Copy the CSR content from the saved file and paste it into the input box. I selected Starfield Technologies as Certificate Issuing Organization, you may do the same if you want to follow the rest of this guide closely. Wait a few hours and check back, your SSL should be ready. Download the certificate for IIS 7 and make sure to check include the intermediate certificates box.
Now we are ready to install the certificates, first we will install the intermediate certificates. Start Microsoft Management Console by type in mmc in the run box on the Start menu. Select File->"Add/Remove Snap-ins", then select Certificates and Add. Pick "Computer account" option in the popup box, then on the next screen with "Local computer" selected, click Finish button then Ok button. In the tree view on the left navigate to "Certificates/Intermediate Certification Authorities/Certificates". Right click->All Task->Import and import "sf_iis_intermediates.p7b" (you might have "sf_bundle.crt" if you downloaded SSL for other server option). Make sure to read through the next part before proceeding.
What we want to do next is install the SSL certificate through IIS, take note that we are not importing the SSL certificate using mmc, if you do that you cannot export the certificate with private key. Start IIS manager as administrator and select your local machine in the tree view on the left then double click on Server Certificates feature. On the right hand side is Action panel click on "Complete Certificate Request ..." and browse to your SSL certificate, this is the other certificate that was not installed in the earlier step. You might need to change the file extensions in the open file dialog because GoDaddy's certificate file is saved as *.crt while the open file dialog is defaulted to *.cer. Now you should see your SSL certificates installed in IIS manager, go back to mmc and check under "Certificates/Personal/Certificates". You should see your SSL certificate listed there, refresh if you don't see it. if that doesn't work the SSL certificate was not installed correctly; Google online for more help.
So after all that we are finally ready to export the certificates and upload to Windows Azure. In the mmc find the SSL certificate and right click->All Tasks->Export. Make sure you export through mmc, IIS export doesn't export the complete certificate chain correctly and you cannot export the intermediate certificates any other way since you don't have their private keys. Click Next on the Welcome screen and in the Private Key screen make sure to have "Yes, export the private key" selected then click Next. In the Export File Format screen select "Personal Information Exchange", check "Include all certificates in certification path if possible" and "Export all extended property" options then click Next. Enter a password and click Next, then select where you want to export the certificates to. Once the export is done you are ready to upload it to Windows Azure.
Go back to Windows Azure management console and find the host service we created earlier, there should be a certificates folder under the host. Right click on that folder and pick "Add Certificate" option; point it to the certificate file we just exported and enter the password and ok. Once the import is done you should see three certificates, this is important if any of the certificates is missing most browser will not validate your SSL certificate and your site is not shown as secure even if the communication is protected. We upload the certificates first before setting up the web role because it makes the next step slightly easier. Don't close the Windows Azure management console, start up visual studio and open your project.
|All three certificates|
Find your web role and bring up the property view by double click on the web role. Select Certificate tab and Add a new certificate. Name it your-domain.com, select LocalMachine for Store Location and My for Store Name. Now go back to Azure console and select your-domain.com certificate in the properties panel to the right find the Thumbprint property and copy it's value. Back to visual studio and paste the thumbprint value we just copied into Thumbprint field. Repeat the process for the other two certificates but set Store Name to Trust.
|Add certificate with thumbprint value|
Disclaimer: the ssl certificate is good for a year and I don't plan on renew it so if you visit the site after 2013/07/11 the certificate will not be valid (but you can go get a free Slurpee). Also I might take down the site later when I need to free Azure computing credit for something else. Here is a screenshot showing the end result.