Associate a Certificate with a Service
Updated: February 14, 2014
The following image shows the process of associating a certificate with a service that is being deployed to Windows Azure:
To associate a certificate with a service
The IT manager provides the certificate thumbprint and thumbprint algorithm to the service developer. The thumbprint identifies the certificate, but is not sensitive information. The thumbprint algorithm specifies the algorithm used to generate the thumbprint.
Note The only thumbprint algorithm currently supported is sha1. If you are not certain which thumbprint algorithm your certificate supports, you can use the certmgr.msc snap in with the Microsoft Management Console (MMC) to inspect the certificate. For more information on using MMC to view the thumbprint algorithm, see the To view the certificate thumbprint algorithm procedure below.
The service developer associates the certificate with a specific role within the service definition file. The certificate entry in the service definition file provides a name for the certificate that can be used to associate it with the certificate thumbprint that's given in the service configuration file. In the case where the certificate will be used for SSL, the certificate name can also be associated with an HTTPS endpoint. The name can be any value the service developer chooses.
The entry in the service definition file also specifies the store location and store name to which this certificate should be copied on the Windows Azure VM. The store location may be either Current User or Local Machine. The store name may be a built-in store, or any custom store name that the service developer provides. The built-in store names include My, Root, CA, Trust, Disallowed, TrustedPeople, TrustedPublisher, AuthRoot, and AddressBook. In the case where the store name is a custom name, Windows Azure creates a new store with the specified name. For details on adding a certificate to the service definition, see Certificate Element within the Windows Azure Service Definition Schema (.csdef File).
Warning You are restricted from installing to the trusted root store. It is blocked by default as it is not a recommend practice to store your certificates there. If your certificate must be stored in the trusted root store, you can use an elevated startup task to move a certificate from the non-trusted root store to the trusted root store. For more information on startup tasks, see Define Startup Tasks for a Role.
The following sample service definition file lists three certificates and their store locations and names. The certificate named SSL is also referenced by name in the definition of an HTTPS endpoint.
<?xml version="1.0" encoding="utf-8"?> <ServiceDefinition name="CloudService1" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition"> <WebRole name="WCFServiceWebRole2"> <Endpoints> <InputEndpoint name="HttpIn" protocol="http" port="80" /> <InputEndpoint name="Https" protocol="https" port="443" certificate="SSL" /> </Endpoints> <Imports> <Import moduleName="Diagnostics" /> </Imports> <Certificates> <Certificate name="SSL" storeLocation="LocalMachine" storeName="My" /> <Certificate name="MSSecAuth" storeLocation="LocalMachine" storeName="CA" /> <Certificate name="MSInternetAuth" storeLocation="LocalMachine" storeName="CA" /> </Certificates> <LocalResources> <LocalStorage name="Logs" cleanOnRoleRecycle="false" sizeInMB="100"/> </LocalResources> </WebRole> </ServiceDefinition>
The service developer adds an entry for the certificate to the service configuration file, using the same name that was provided in the service definition file. This entry also specifies the certificate thumbprint and thumbprint algorithm. Windows Azure uses the thumbprint to identify the certificate within the hosted services certificate store, and deploy the certificate to the virtual machines that will run the role's instances. For details on specifying a certificate within the service configuration file, see Certificate Element within the WebRole Schema or WorkerRole Schema.
The service developer uploads the service package and the service configuration file to Windows Azure and deploys the service.
To view the certificate thumbprint algorithm
Click Start, click Run, type certmgr.msc, and then click OK.
In MMC, expand Certificates - Current User, and then expand the certificate store that holds your certificate and click Certificates.
In the right pane, right-click the certificate and click Open.
Click Details and scroll down the details list until you see the Thumbprint algorithm field.