Control Access to Certificates on a Virtual Machine
Updated: February 14, 2014
Access to certificates containing private keys should be restricted to processes that are fully trusted. Windows Azure VM roles restrict role access by default. Web and worker roles allow all role processes to access the private key by default. To restrict access you must set the permissionLevel attribute on the Certificate element in your service definition file. The permissionLevel attribute specifies the access permissions given to the role processes. If you want only elevated processes to be able to access the private key, then specify elevated permission. limitedOrElevated permission allows all role processes to access the private key. Possible values are limitedOrElevated or elevated. The default value is limitedOrElevated.
To restrict access to a certificate for a web or worker role
Open the ServiceDefinition.csdef file.
Locate you’re the Certificate element for the certificate and add the permissionLevel attribute and set the value to elevated.
<ServiceDefinition name="WindowsAzureProject4" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition"> <WorkerRole name="MyWokerRole"> <ConfigurationSettings> . . . </ConfigurationSettings> <Certificates> <Certificate name="MySSLCert" storeLocation="LocalMachine" storeName="My" permissionLevel="elevated" /> </Certificates> </WorkerRole> </ServiceDefinition>
Save the file.