How to Create a Certificate for a Role

Updated: September 12, 2011

You may need different types of certificates depending on the type of application that you develop for Windows Azure. For example, you might have a need for the following:

• Creating an X.509 certificate. An X.509 v3 certificate is used to authenticate operations with a Windows Azure subscription. An X.509 v3 server certificate can also be used for testing web based services. The format of this certificate uses a .cer extension. In Windows Azure, this type of certificate is uploaded as a management certificate and is used by a VM role.
  
  
• Creating a Personal Information Exchange certificate. A Personal Information Exchange certificate that is issued by a signing authority and verifies the authenticity and security of the hosted service (can be a self-signed certificate for testing purposes). The format of this certificate uses a .pfx extension. This type of certificate is used as a service certificate and is needed for creating a remote desktop connection.
  
  
• Obtaining the thumbprint for a certificate. The thumbprint is used to identify the certificate for authenticating operations performed in a hosted service.
  
  

For more information about certificate usage in Windows Azure, see Managing Certificates in Windows Azure.

Creating an X.509 v3 certificate

You can use the Certificate Creation Tool (makecert.exe) to create an X.509 certificate for a management certificate:

To create a certificate by using makecert

1. Open the Visual Studio Command Prompt window as an administrator.

2. Change the directory to location where you want to save the certificate file.

3. Type the following command:

   makecert -sky exchange -r -n "CN=<CertificateName>" -pe -a sha1 -len 2048 -ss My "<CertificateName>.cer"
   
   

   Where <CertificateName> is the name that you want to use for the certificate. It must have a .cer extension. For more information about using the tool, see Certificate Creation Tool (Makecert.exe).

You can also use the Internet Information Services (IIS) Manager to create an X.509 server certificate. For more information about using IIS Manager to create certificates, see Create a Self-Signed Server Certificate in IIS 7

To create a certificate by using Internet Information Services (IIS) Manager

1. Open the Internet Information Services (IIS) Manager by typing inetmgr in the Start menu textbox.

2. In the IIS section of the center pane, double-click Server Certificates.

3. Click Create Self-Signed Certificate, and then finish the wizard.

Creating a Personal Information Exchange certificate

You can use the Certificate Manager to export a Personal Information Exchange formatted certificate. You can also export this format from the Internet Information Services (IIS) Manager. When you export the certificate to the .pfx format, you must know the password for the private key. For more information about importing and exporting certificates, see Import or export certificates and private keys.

To export a .pfx file by using the Certificate Manager

1. Open the Certificate Manager snap-in for the management console by typing certmgr.msc in the Start menu textbox.

2. If you used the procedure that includes using the makecert program to create a certificate, the new certificate was automatically added to the personal certificate store. If your certificate is not listed under Personal Certificates, import your X.509 certificate.

3. Export the certificate by right-clicking the certificate in the right pane, pointing to All Tasks, and then clicking Export.

4. On the Export Private Key page, ensure that you select Yes, export the private key.

5. Finish the wizard.

If you are using Internet Information Services (IIS) Manager to manage certificates, you can export a .pfx formatted version.

To export a .pfx file by using Internet Information Services (IIS) Manager

1. Open the Internet Information Services (IIS) Manager by typing inetmgr in the Start menu textbox.

2. In the IIS section of the center pane, double-click Server Certificates.

3. Right-click the certificate in the center pane, and then click Export.

4. Select the location for the file, enter the name for the file, and enter the password for the private key.

5. Click Ok.

Using the CSUpload Command-Line Tool and the CSEncrypt Command-Line Tool to create a certificate for a remote desktop connection

If you need to use a remote desktop connection to access your role instance, you must ensure that you encrypt the password that is associated with the user account. To encrypt the password, a service certificate is required. You can use the CSUpload Command-Line Tool to upload an existing certificate or you can use the CSEncrypt Command-Line Tool to create a certificate and then encrypt a password for a remote desktop connection.

Obtaining the thumbprint for a certificate

The thumbprint of the certificate is required for some operations involved with service authentication. You can obtain the thumbprint of a certificate by using the Certificate Manager or the Internet Information Services (IIS) Manager.

To obtain the thumbprint by using the Certificate Manager

1. Open the Certificate Manager snap-in for the management console by typing certmgr.msc in the Start menu textbox.

2. Ensure that your certificate has been imported.

3. Expand Personal, click Certificates, right-click the certificate in the list, and then click Open.

4. Click Details, and then locate the Thumbprint property and value in the list.

   Note
   The thumbprint in Certificate Manager contains spaces and lowercase characters. You must remove the spaces and convert the characters to uppercase when using the thumbprint in the service model or when encrypting a password for a remote desktop connection.

To obtain the thumbprint by using Internet Information Services (IIS) Manager

1. Open the Internet Information Services (IIS) Manager by typing inetmgr in the Start menu textbox.

2. In the IIS section of the center pane, double-click Server Certificates.

3. Select the certificate in the center pane, and then click View in the Actions pane.

4. Click Details, and then locate the Thumbprint property and value in the list.

See Also

Concepts

Setting Up a Hosted Service for Windows Azure
Overview of Setting Up a Hosted Service for Windows Azure

management certificate vs. role certificate

In the title, it says "for a role".  It makes me wonder what other types of certificate you can create.  It will be helpful to mention management certificate vs. role certificate.

Working on the problem

The first '-' character in the command string is not being published as the correct character. An en-dash character is being inserted instead of a minus sign. To run the makecert command, copy the command string to the command prompt window and then change the first dash to a minus sign, change the certificate information, and then run the command. We are working on a fix for this issue.

MakeCert Error: Too many parameters

The '-' character that is in the makecert command line above is the character \u2013 (DASH-EN), and not the "minus" sign (\u002D). When pasted to the command line, it will become the byte 0x96, which is not understood by the tool. Try changing the '-' characters to the correct one, and it should work.