Azure Websites now supports SSL and allows you to upload a certificate. I have a GoDaddy certificate that I have uploaded and although this works fine for 80% of users it seems that Windows XP users browsing the site in Internet Explorer are given the following error:
There is a problem with this website's security certificate.
On further investigation it seems like I may need to provide an intermediate certificate but I can not find how to supply a Godaddy intermediate certificate (I have one) for my Azure Website.
Can anyone tell me if there is a solution to the intermediate certificate issue?
I followed the following step process when I was setting up SSL in Azure using GoDaddy as CA. (Notice the highlighted line below that might be your key):
Create a Certificate Signing Request (CSR) on the web server (local IIS, not Azure)
Send CSR to CA (Certificate Authority – GoDaddy) and specify alternative domain names (if you've paid for that possibility)
Download certificate from CA
Import certificate to web server (local IIS, not Azure)
Import the intermediate certificates from CA into local computer (where you have IIS)
Export the certificate as PFX file from IIS and give it a password
Import PFX file into Azure together with password
Bind configured domain names to the certificate in Azure
There are a few different ways to create the CSR file. I used IIS Manager on my local developer computer.
You can read an extended version of the list here where all the steps are more thoroughly explained.
Had a reply on twitter from Microsoft, the reply they give is as follows: "this is a known issue. Not an oversite but rather a bug... Check the MSDN support forum" I checked my post on MSDN forums and the reply they left there is "We will have this support soon".
Related
I have a question regarding signing with SSL. I need to sign an application (.exe) written in Delphi. At the same time I also want to sign an Internet Portal with which the application communicate. My question is: does signing services generally provide also the certificate for the application either the certificate for the site? Can you sign the application with the same certificate or do you need another certificate? Can you sign multiple applications with the same certificate?
Thanks in advance.
Alberto
You need 2 certificates: One for code signing (that is, signing the .exe) and one for SSL (for the website).
You can not sign the application using the same cert as your are using for SSL.
You can sign as many applications with your code signing certificate as you like.
You may or may not use the SSL cert for multiple hosts (e.g.: blog.domain.com, www.domain.com, chat.domina.com, static.domain.com...), this depends on the type of certificate you are using.
Also: Please note that you can get free SSL certificates (e.g.: LetsEncrypt provides them, and azure website can use free "managed" certs from microsoft.). However, to my knowledge, there are no free code signing certificates.
I developed a web service to be consumed by another team.
These were my steps:
developed a web service with jax-ws 2.2.8 and jdk 1.7
deployed the web service to run on Tomcat 7
generated the client classes
created a self-signed server certificate using the jdk's keytool
configured Tomcat to support SSL connection
exported the generated server certificate to a certificate file
imported the server certificate into the truststore file
specified CONFIDENTIAL transport-guarantee in web.xml for the web service's servlet
developed a test client to consume the web service using the client classes
So then the other team started working with it and I was informed that the certificate is not properly signed. Is a self-signed certificate improperly signed? Is that true? I didn't think so. Well I don't want to argue the point. I was informed that they have their own signing authority that is already trusted by most of their system and it was suggested to me that I replace my cert with the one that is signed by the certs displayed in two screenshots that I was provided. I wasn't provided any further information but I guessed the screenshots were taken in Internet Explorer, Tools, Internet Options, Content, Certificates, Intermediate Certification Authorities, then in the list I found a certificate and clicked on View, clicked on Certification Path and my screen matches the screen of the other team member with one exception. His screen displays:
Company Name Root CA
Company Name Issuing CA
teamname.companyname.com
Whereas my screen only displays:
Company Name Root CA
Company Name Issuing CA
I don't see the
team.companyname.com
on my screen and not too sure how that got there or if I need that.
Then I clicked on Details and compared Version, Serial number, Signature algorithm, Signature hash algorithm, Issuer, Valid from, Valid To, Subject and Public key and they are all the same. The rest of the fields are not visible in the screenshot.
So where do I go from here? I am not certain.
According to: Apache Tomcat 7 documentation, Tomcat operates only on JKS, PKCS11 or PKCS12 format keystores.
My questions are these:
1) Should I export the certificate using the Certificate Export Wizard? (I am using Windows 7)
2) If so, should I select the format Personal Information Exchange - PKCS #12 (.PFX)?
3) And if so, which of the following options need to be selected?
Include all certificates in the certification path if possible
Delete the private key if the export is successful
Export all extended properties
Wait! Hold on! I just tried to select Personal Information Exchange - PKCS #12 and it is disabled. Hmmm.
Is there a way to export the certificate from the browser for the purposes of somehow getting a keystore format supported by Tomcat? And I must add that I don't know how to get from point a to point b and any help would be appreciated. And it also concerns me that my certificate doesn't display:
teamname.companyname.com
in
Company Name Root CA
Company Name Issuing CA
teamname.companyname.com
Any ideas/suggestions/feedback would be greatly appreciated as I not too familiar with certificates!
None of the above.
You need to follow the same steps you used to create your self-signed certificate but after you have created your Certificate Signing Request (CSR) you need to give that to the other team to get them to sign it with their Certificate Authority (CA). Then you continue as you did before.
I'm trying to create a https endpoint on my azure application, but I've run into a problem.
I have a CNAME record (in our local ISP's Name Server), like MyApp.MyDomain.com, which maps to MyApp.cloudapp.net.
Microsoft documentation tells me that I need to get a Certificate Signing Request (CSR) for MyApp.MyDomain.com. However, the only place this exists is in the local ISP's name server, and they tell me that they can't create this CSR since they don't host that domain. This doesn't make sense to me, since nobody "hosts" that domain, it's just a CNAME.
So I don't know who can create that CSR. Is it something I can do locally (i.e. on an IIS that is unrelated to that domain), or does it need to be done on Azure's / local ISP's server?
You can do this locally and you'll send it to the company you buy the certificate from (let's say Comodo). Once they're done, they'll send the response and you'll need to upload it in IIS (under Server Certificates, Complete Certificate Request).
The result will be that you'll have a PFX file (a file with public and private key). Once you have this file you'll need to upload it in the Windows Azure Portal, and in your WebRole you'll need to fill in the thumbprint of that certificate.
Once you've done all this and you deployed the application, you'll be able to access the website through HTTPS and you'll see that the certificate will be used correctly.
I have Azure app containing 4 sites in a single web role (differentiated by host headers). I setup the sites to run over SSL. I issued 2 self signed certificates: 1 as CA installed into Trusted Root CAs store and 1 wildcard SSL certificate (issued using the first one).
The application runs, however I'm getting certificate error 'Mismatched address' in Azure Compute Emulator. I examined the mismatched certificate and found out it is not the one specified in service configuration. I went into IIS management console and checked the bindings - there was no cert set for my sites. So I setup the wildcard certificate manually in the site bindings. But in browser I still have mismatched certificate, still the one for 127.0.0.1 (comming with DevFabric). How can I make the IIS to return the correct certificate configured for the site?
(I have some services in the web sites consumed by Silverlight application and it does not work when there is forced manual confirmation of the certificate by user.)
Thanks!
Are you sure that you really access the service using https://127.0.0.1 and not using https://localhost?
I created ssl certificate using IIS 5.1 and generated a file certreq.txt. Now what is the next step to use this file. I am a developer and working on a site that is host on my local machine. Is is necessary to get license from any CA?
Please guide me ASAP.
You can create a self-signed cert, but that will not be very elegant for end users if this is a public website as there is the prompt about cert validity. Otherwise, yes you need to obtain a cert from a CA. I find the best is Verisign, although DEFINITELY not the cheapest. Others are Godaddy, CheapDomain, and pretty much any registrar can help with it.
The link is for 5.1, but you can find tutorials on all versions. For testing I would go the self signed route.
The certificate generated from IIS, is a self-signed certificate, which can be used to test your website. However, if you run a public website from a self-signed certificate, every user will get a warning that the site is not safe. You will eventually need to get a license from a CA when you are ready to publish your site. Your domain host should provide an SSL certificate service, for something like $50-150/yr.
You can either self sign the certificate or send it to the CA to avoid the do-not-trust this site prompt. SSLTools Manager is a nifty app that can send your csr to a CA. Not sure about the self-signing feature though.