Manage Certificates in Windows Azure

Updated: March 28, 2011

Windows Azure uses certificates in three ways:

• Management certificates – Stored at the subscription level, these certificates are used to enable the Windows Azure using the SDK tools, the Windows Azure Tools for Microsoft Visual Studio, or the Windows Azure Service Management REST API. These certificates are independent of any hosted service or deployment.
  
  
• Service certificates – Stored at the hosted service level, these certificates are used by your deployed services.
  
  
• SSH Keys – Stored on the Linux virtual machine, SSH keys are used to authenticate remote connections to the virtual machine.
  
  

To use a certificate in Windows Azure, it must be uploaded to Windows Azure. Management and service certificates can be uploaded through the Windows Azure Management Portal. Service certificates can also be uploaded to Management Portal using Add Certificate in the Windows Azure Service Management REST API.

Certificates used in Windows Azure are x.509 v3 certificates and can be signed by another trusted certificate or they can be self-signed. A self-signed certificate is signed by its own creator. Because of this, the certificate is not trusted by web browsers and will cause a security alert in Internet Explorer. Users can continue, but have to bypass a security message.

Self-signed certificates are typically used in test scenarios, or when they are used as a container for public/private keys.

Certificates used by Windows Azure can contain a private or a public key. Certificates have a thumbprint that provides a means to identify them in an unambiguous way. This thumbprint is used in the Windows Azure configuration file to identify which certificate a hosted service should use. For more information on configuring certificates in the configuration file, see Set Up a Cloud Service for Windows Azure.

Windows Azure uses certificates to identify a trust relationship: the party to be trusted has the private key.

• Management certificates (.cer certificate files): the client connecting the service needs to be trusted and has the private key.
  
  
• Service certificates (.pfx certificate files): the service needs to be trusted by the client connecting to the service. For example, in an SSL secured service scenario the SSL certificate contains the private key.
  
  

Management certificates

Management certificates permit client access to resources in your Windows Azure subscription. Management certificates are x.509 v3 certificates that only contain a public key, and are saved as a .cer file.

Common uses of management certificates

• The CSUpload Command-Line Tool uses management certificates for authentication when deploying VM role images. For more information one using CSUpload to deploy VM role images, see Upload a VHD to Windows Azure.
  
  
• Requests made using the Windows Azure Service Management REST API require authentication against a certificate that you provide to Windows Azure; see Authenticating Service Management Requests for details. You must upload a management certificate to Windows Azure using the Management Portal.
  
  
• Windows Azure Tools for Microsoft Visual Studio use management certificates to authenticate a user to create and manage your deployments. For more information on using the Visual Studio tools to deploy applications, see Deploy the Windows Azure Application from Visual Studio.
  
  

The same certificate can be used on more than one computer to manage a Windows Azure subscription. In order to move a management certificate from one computer to another development computer, it must be exported in the form of a PFX file and then reimported on other development computer.

Important

There is a limit of 100 management certificates per Windows Azure subscription. There is also a limit of 100 management certificates for all subscriptions under a specific service administrator’s user ID. If the user ID for the account administrator has already been used to add 100 management certificates and there is a need for more certificates, you can add a co-administrator to add the additional certificates. Before adding more than 100 certificates, see if you can reuse an existing certificate. Using co-administrators adds potentially unneeded complexity to your certificate management process. For more information on adding co-administrators, see Add and Remove Co-Administrators for Your Windows Azure Subscriptions.

Service certificates

Service certificates provide secure interactions for users of your web application or service. A common case is a certificate that's associated with an HTTPS endpoint, but you can use service certificates in other ways as well. Service certificates, defined in your service definition, are automatically deployed to the virtual machine that is running an instance of your role. You can upload service certificates to Management Portal either using the Management Portal or by using the Service Management API. Service certificates are associated with a specific hosted service and assigned to a deployment in the service definition file.

Service certificates can be managed separately from your services, and may be managed by different individuals. For example, a developer may upload a service package that refers to a certificate that an IT manager has previously uploaded to Windows Azure. An IT manager can manage and renew that certificate changing the configuration of the service without needing to upload a new service package. This is possible because the logical name for the certificate and its store name and location are specified in the service definition file, while the certificate thumbprint is specified in the service configuration file. To update the certificate, it's only necessary to upload a new certificate and change the thumbprint value in the service configuration file.

Warning
If the configuration is changed in this manner it will potentially be out of sync with the development platform. This means that updates could potentially be written over if the configuration on the development computer is not updated before uploading updates to the service. The recommend solution is to upgrade the service with a new configuration file. This ensures that the change is not lost.

Service certificates are x.509 v3 certificates that are uploaded to Windows Azure and stored in the hosted service in which they will be used. Service certificates are private key (.pfx) files. Service certificates are used for both SSL and remote desktop decryption which require a certificate with a private key.

There are three primary uses for service certificates:

• Encryption – RDP password encryption.
  
  
• Server – SSL provide communications security for secure web pages.
  
  
• Mutual Authentication – WCF client authentication.
  
  

SSH keys

The SSH keys enable you to remotely access and authenticate connections to a Linux virtual machine from a Linux or Windows client. The current version of the Windows Azure Management Portal only accepts SSH public keys that are encapsulated in an X509 certificate that contains a 2048-bit key pair. For more information on generating and using SSH keys to access a Linux virtual machine, see How to Use SSH with Linux on Windows Azure.

See Also

Concepts

Create a Management Certificate for Windows Azure
Obtain an SSL Certificate
Configure an SSL Certificate on an HTTPS Endpoint
Associate a Certificate with a Service
Add a New Certificate to the Certificate Store
Update a Certificate in the Certificate Store
Control Access to Certificates on a Virtual Machine