SSL Securing an Azure Website

October 25, 2015

SSL Certificates aren't a routine activity that every developer has to do often, so it's often a Google or DuckDuckGo search to find a tutorial to recall the steps.

What's an SSL Certificate?

SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol (over port 443) and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites.  -GMO GlobalSign Inc.

In summary, an SSL Certificate allows you to encode web site requests so that important credentials (usernames/passwords) or billing information (credit card numbers, addresses) are encrypted so only the user and the server know the details.

Purchase an SSL Certificate

First, find an SSL Certificate provider. There are quite a few providers that can secure your site with varying degrees of security and liability warranties. For smaller solutions you may not need a $1,000,000 coverage protection plan, so a $10 SSL certificate with $10k coverage is probably enough. SSL Certificates can secure your single domain, any sub domain, or multiple domains. Purchasing for a single domain, such as blog.davidemanske.com, is the least expensive. Wildcard certificates (*) will cover any sub domain for a given domain. So you could secure, blog.davidemanske.com, sales.davidemanske.com, crm.davidemanske.com, etc. You should do the math to see if it makes more sense to purchase single domains or a wild card. Note that there is also a cost savings in terms of time to not have to issue an individual cert for every domain. Lastly, a Multiple Domain cert can provide a certificate for multiple domains. Here are a few SSL Certificate providers that provide quality SSL Certificates.

Create the SSL Certificate CSR Request

In IIS on your local machine/server, create a new server certificate by clicking on the server node and opening the Server Certificates screen. Right click and select Create Certificate Request or simply click on the link on the right side of the screen in the Actions pane. Your Distinguished Name Properties are simply details about your organization.

Common Name: yourdomain.com // Note that you should use www.domain.com instead of just domain.com. Including the www will protect both variants whereas just domain.com will only secure the non-www host name. Organization: Your Name or Organization Organization Unit: IT City: City State: WI (abbreviation) Country: US (abbreviation)

Cryptographic Service Provider Properties

Most SSL Certificate providers will require that your Bit length be a minimum of 2048 and RSA SChannel.

Complete Request with Provider

After purchasing the SSL Certificate you’ll need to activate that certificate and supply the CSR. The CSR will specify the credentials, as well as the domain covered, in a blob of letters and numbers. Copy this text from the txt document and paste it as the CSR. After submitting the CSR, you’ll be prompted to confirm that you own the domain. You can choose to verify that you own the domain by sending an e-mail to that domain, adding a DNS entry, or uploading a special text/html file to the website’s root. If verifying by e-mail, follow the instructions in the e-mail to complete this step.

Complete Certificate Request

You will receive the certificate in a zip file by e-mail shortly after completing the previous step. Extract the .cer file. Back in IIS, open the Server Certificates panel again and click ‘Complete Certificate Request’ in the Actions pane. You will be prompted to enter a friendly name (use the common domain name used during the CSR step) and select the .cer file you just extracted. Select Web Hosting as the certificate store.

Export for Azure

Now that you have completed the certificate, you can export the cert for the Azure site. Right-click on the cert within the Server Certificates grid and click Export. Note, if the certificate does not show up, you may need to close IIS and re-open it. Specify a directory and a file name of the .pfx file that it will create and input a password. It doesn’t matter what you name the .pfx file, but for consistency it’s easy to just name the file the same as the common domain name.

Azure Portal – Custom Domains and SSL

In Azure and within your Azure Web App, select the Custom Domains and SSL blade in settings. Next, click the ‘Upload Certificate’ button in the blade header. Select the local PFX file and input the password that you specified as you exported out of IIS.

Azure – Bring External Domains

This step can happen before or after the Custom Domains and SSL, but it does need to occur so you can see your domain is accessible to the Web App. Click the Bring External Domains button in the Settings header and then input the domain. Click Save and your domain and certificate should be available to link together. Link the cert and domain together in the settings blade by setting the SSL bindings host name (your domain) and certificate (SSL certificate).  SNI SSL will allow you to use the same IP to support several secured websites. Otherwise you will need a unique IP for each website."

Share

Comments