Author: Jim Nakashima
Windows Azure Tools for Microsoft Visual Studio extend
Visual Studio to enable the creation, building, debugging, running and
packaging of scalable services on Windows Azure.
This walkthrough covers how to setup an HTTPS endpoint for a
Web Role running on Windows Azure in both the local Development and Windows
Azure hosted services cases. It assumes
that you have a working knowledge of digital certificates.
SSL Certificate Workflow
The developer needs to obtain a certificate from a signing
authority and pass both the certificate and the private key to Windows Azure,
where both will be used to setup an https binding for a given Web Role.
Here’s a simplified diagram that shows the overall workflow:
.jpg)
The developer sends a Certificate Signing Request to a
signing authority (step 1 in the diagram above). He then obtains the certificate from the
signing authority (step 2), and uses Visual Studio to build a Service package
that contains the certificate (along with its private key). The developer will upload the package to
Windows Azure by means of the Azure Services Developer Portal. (step 3)
The Service Package is encrypted and the Azure Services
Developer Portal is accessed via https.
Creating the Cloud Service Project
Start Visual Studio as an administrator.
Create a new project: File -> New -> Project.
Select “Web Cloud Service”. This will create the Cloud Service Project
and an ASP.Net Web Role.
.jpg)
Customize your Web Role
Make some simple changes to Default.aspx.
.jpg)
Make sure your project works by hitting F5 to debug.
Testing an HTTPS Endpoint in the Local Development Fabric
Open the Cloud Service Project Settings by right-clicking on
the Cloud Service project node in Solution Explorer and selecting “Properties”.
Click the CheckBox under “Development” to “Enable SSL
Connections”.
Click “Select from Store”.
Choose the certificate you want to test with.
Save the project file.
.jpg)
Change the Service Definition by opening ServiceDefinition.csdef
to use an https endpoint. Change the
protocol of the InputEndpoint element to “https”.
<ServiceDefinition
name="SSLExample"
xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition">
<WebRole name="WebRole">
<InputEndpoints>
<!-- Must use port 80 for http and
port 443 for https when running in the cloud -->
<InputEndpoint
name="HttpsIn" protocol="https" port="443" />
</InputEndpoints>
</WebRole>
</ServiceDefinition>
Hit
F5 to debug the application.
.jpg)
Note
that IE will give you a certificate error as a self-signed certificate for
testing purposes only was specified.
Selecting a
Certificate
Visual Studio will look for certificates that support Server
Authentication and are located in the Personal Store in the Current User
location.
Note: For the Development
Fabric case, the certificate used must be self-signed because in this scenario the
private key is not securely protected.
When a certificate is selected, its thumbnail is stored in
the Cloud Service project file.
Note: If the
certificate specified in the project is not installed in the Certificate Store,
the build will fail with the following error:
error : CloudServices39 : No
certificate with thumbprint 567F754EAAD7E053D000710887FB57597F856A79 in
certificate store named MY at store location CurrentUser
Note: If a
certificate is specified in the project but an InputEndpoint for HTTPS doesn’t
exist, the following warning will be given at build time:
C:\Program Files\MSBuild\Microsoft\Cloud
Service\v1.0\Microsoft.CloudService.targets(0,0): warning : CloudServices28 :
No web role declared in service model. Cannot apply SSL certificate
Note: If your certificate has been imported without marking the key
as exportable, you will get the following error:
error : CloudServices40 :
Cannot export private key of certificate with thumbprint
567F754EAAD7E053D000710887FB57597F856A79 in certificate store named MY at store
location CurrentUser.
Specifying an HTTPS Endpoint for a Service on Windows Azure
Open the Cloud Service Project Settings by right-clicking on
the Cloud Service project node in Solution Explorer and selecting “Properties”.
Click the CheckBox under “Publish” to “Enable SSL
Connections”.
Click “Select from Store”.
Choose the certificate you want to test with.
Save the project settings.
.jpg)
Visual Studio will look for certificates that support Server
Authentication and are located in the Personal Store in the Current User
location.
Ensure that the InputEndpoint port is set to “443”
<InputEndpoint
name="HttpsIn" protocol="https" port="443" />
Deploy your Cloud Service as you would normally when
deploying to the cloud, you will be able to access your service via HTTPS. See the walkthrough: Deploying a Service on
Windows Azure for more information.
One final note: Although this walkthrough focused on
specifying a single https endpoint, you can have both an http and https
endpoint for your Web Role:
<!-- Must use port 80
for http and port 443 for https when running in the cloud -->
<InputEndpoint
name="HttpIn" protocol="http" port="80" />
<InputEndpoint
name="HttpsIn" protocol="https" port="443" />