There is the old saying: no pain, no gain. Well congratulations reader, my pain is your gain in this week's post. I will be showing you the steps it takes to purchase, sign, and install a SSL certificate on Windows Azure. I am a big fan and customer of DNSimple, which is a domain hosting provider. If you aren't using them, then you will need to figure out the initial steps for your hosting provider.
1. Buying the SSL Certificate
The first thing you will need to do is log into your DNSimple account and manage your domain. You screen should look like the following.
Click the button that says : "Buy SSL Certificate". Complete the steps to purchase the certificate. You have the choice between a standard certificate and a wildcard certificate.
Standard certificates cover:
Wilcard certificates cover:
your-domain.com www.your-domain.com *.your-domain.com ex. blog.your-domain.com
You might want to buy a certificate if you plan on securing subdomains as well as your top level domain.
Shortly after purchasing your certificate you will get a notification saying you are the proud new owner of a SSL certificate. Hooray! Don't celebrate just yet, you need to go back into your DNSimple account to retrieve your certificate and your private key.
In the dashboard you should see your new certificate under Active SSL Certificates. Click it and you will be presented with a screen that looks like this.
Copy the contents of the first box and save it to a file called private.key. The name is arbitrary really. Then save the next file to my_domain.crt.
2. Creating the PFX file
Windows Azure requires you have a PFX file so that they can install the certificate. A PFX file has both the private and public key contained in it. Sadly RapidSSL doesn't offer you a PFX right out of the box, probably because the private key is generated at DNSimple. Personally I don't know what the reasons are you don't have access to a PFX file, but you don't (can you tell I am annoyed by that). This means you have to create one yourself. Luckily it is pretty easy once you figure out what you have to do.
You will need OpenSSL for the next step. I am doing this on a Mac, but I assume the steps would be similar on a Windows machine. You will also need the private.key file and the my_domain.crt files.
I placed them in the same directory and then ran the following in a terminal window.
$ openssl pkcs12 -export -out my_domain.pfx -inkey private.key -in my_domain.crt
You will be asked for a passphrase at this point to secure your pfx file. This is so only you can install it on your server. If someone were to get a hold of your pfx, it would be useless (unless the crack your passphrase). You should now have a file called my_domain.pfx in your directory.
Side Note: It took me an hour to realize that DNSimple had the private key I was looking for. I didn't know where to to find it because I didn't realize that the certificate is only half of the equation.
3. Installing the Certificate on Windows Azure
So you are in the home stretch. Log into your Windows Azure Portal and find your website. You will need to switch the site to Standard hosting. This runs about $75/mo if your site runs 24/hr a day for the whole month.
You will first need to add your domains to the list of domains, but I'm sure you've done that at this point. It is really easy with DNSimple, they have a one button click setup. Did I mention how easy it was?
Then back in the Windows Azure Portal you will need to upload your SSL Certificate. Click the upload a certificate button seen below.
I hope you remembered your passphrase from the PFX creation step. You will need it when this dialog box appears.
Select the PFX file and enter your passphrase. Your SSL certificate should be installed now.
4. Setting the Domains to use SSL
Ok the easiest but most rewarding step of this whole process. Setting the domains up properly to use SSL. I assume you entered your domains. Select which domains are using your certificate using the dropdown that appears under the SSL Bindings section.
Notice that I have domains with and without the www. This is important to do as Windows Azure treats those like two seperate domains. You can use the URL Rewrite Module to pick your canonical URL.
5. Bask in the the Green Goodness
Green is good, oh so good. I hope you've gotten this far in your SSL journey. If you have, you should see the following in your browser.
You Sir or Madam, are now proud owners of a secure Windows Azure website with a top level domain.
Once you know what you have to do, this process is super simple. Even a chimp like me could do it again. The great benefit here is that DNSimple really makes it super easy to work with Windows Azure and to get all the right records in place. Additionally they helped me get a certificate within minutes of purchase. My biggest hurdle was just understanding that you need the private key and the certificate to create the PFX file that Windows Azure is looking for. If I knew what I knew know, I could get a site deployed and secured all within 10 minutes (estimate). As always, follow me on Twitter @AquaBirdConsult and hope you found this post as helpful as my future self will find it (when I have to do this again).