Enabling SSL Connections on Windows Azure

Author: Jim Nakashima

Windows Azure Tools for Microsoft Visual Studio extend Visual Studio to enable the creation, building, debugging, running and packaging of scalable services on Windows Azure.

This walkthrough covers how to setup an HTTPS endpoint for a Web Role running on Windows Azure in both the local Development and Windows Azure hosted services cases.  It assumes that you have a working knowledge of digital certificates.

SSL Certificate Workflow

The developer needs to obtain a certificate from a signing authority and pass both the certificate and the private key to Windows Azure, where both will be used to setup an https binding for a given Web Role.

Here’s a simplified diagram that shows the overall workflow:

Workflow.jpg

The developer sends a Certificate Signing Request to a signing authority (step 1 in the diagram above).  He then obtains the certificate from the signing authority (step 2), and uses Visual Studio to build a Service package that contains the certificate (along with its private key).  The developer will upload the package to Windows Azure by means of the Azure Services Developer Portal. (step 3)

The Service Package is encrypted and the Azure Services Developer Portal is accessed via https.

Creating the Cloud Service Project

Start Visual Studio as an administrator.

Create a new project:  File -> New -> Project.

Select “Web Cloud Service”.  This will create the Cloud Service Project and an ASP.Net  Web Role.

NewWebCloudService.jpg

Customize your Web Role

Make some simple changes to Default.aspx.

SSLExampleAspx.jpg

Make sure your project works by hitting F5 to debug.

Testing an HTTPS Endpoint in the Local Development Fabric

Open the Cloud Service Project Settings by right-clicking on the Cloud Service project node in Solution Explorer and selecting “Properties”.

Click the CheckBox under “Development” to “Enable SSL Connections”.

Click “Select from Store”.

Choose the certificate you want to test with.

Save the project file.

SSLDevSettings.jpg

Change the Service Definition by opening ServiceDefinition.csdef to use an https endpoint.  Change the protocol of the InputEndpoint element to “https”.

<ServiceDefinition name="SSLExample" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition">

  <WebRole name="WebRole">

    <InputEndpoints>

      <!-- Must use port 80 for http and port 443 for https when running in the cloud -->

      <InputEndpoint name="HttpsIn" protocol="https" port="443" />

    </InputEndpoints>

  </WebRole>

</ServiceDefinition>

Hit F5 to debug the application.

SSLExplorer.jpg

Note that IE will give you a certificate error as a self-signed certificate for testing purposes only was specified. 

Selecting a Certificate

Visual Studio will look for certificates that support Server Authentication and are located in the Personal Store in the Current User location. 

Note: For the Development Fabric case, the certificate used must be self-signed because in this scenario the private key is not securely protected.

When a certificate is selected, its thumbnail is stored in the Cloud Service project file. 

Note: If the certificate specified in the project is not installed in the Certificate Store, the build will fail with the following error:

error : CloudServices39 : No certificate with thumbprint 567F754EAAD7E053D000710887FB57597F856A79 in certificate store named MY at store location CurrentUser

Note: If a certificate is specified in the project but an InputEndpoint for HTTPS doesn’t exist, the following warning will be given at build time:

C:\Program Files\MSBuild\Microsoft\Cloud Service\v1.0\Microsoft.CloudService.targets(0,0): warning : CloudServices28 : No web role declared in service model. Cannot apply SSL certificate

Note: If your certificate has been imported without marking the key as exportable, you will get the following error:

error : CloudServices40 : Cannot export private key of certificate with thumbprint 567F754EAAD7E053D000710887FB57597F856A79 in certificate store named MY at store location CurrentUser.

Specifying an HTTPS Endpoint for a Service on Windows Azure

Open the Cloud Service Project Settings by right-clicking on the Cloud Service project node in Solution Explorer and selecting “Properties”.

Click the CheckBox under “Publish” to “Enable SSL Connections”.

Click “Select from Store”.

Choose the certificate you want to test with.

Save the project settings.

SSLPublishSettings.jpg

Visual Studio will look for certificates that support Server Authentication and are located in the Personal Store in the Current User location. 

Ensure that the InputEndpoint port is set to “443”

<InputEndpoint name="HttpsIn" protocol="https" port="443" />

Deploy your Cloud Service as you would normally when deploying to the cloud, you will be able to access your service via HTTPS.  See the walkthrough: Deploying a Service on Windows Azure for more information.

One final note:  Although this walkthrough focused on specifying a single https endpoint, you can have both an http and https endpoint for your Web Role:

      <!-- Must use port 80 for http and port 443 for https when running in the cloud -->

      <InputEndpoint name="HttpIn" protocol="http" port="80" />

      <InputEndpoint name="HttpsIn" protocol="https" port="443" />

Page view tracker