Using StartSSL with a Windows Azure Website
This document is an overview of creating a free SSL certificate for a Windows Azure Web Site. For more details, please refer to the excellent resources at the end of this post. You will need:
- Microsoft Azure Web App with a custom domain in the Standard pricing tier.
The free, out-of-the-box Azure Web Apps come with HTTPS by default, so there’s no need to do anything with the free tier.
Overview of the process
The following is a little bit like walking a tightrope.
When we first register with StartSSL, the website uploads an Authentication Certificate (AC) into our web browser. The AC is a replacement for a username and password; that is, it lets us authenticate and thereby to access the StartSSL control panel. I had never done that before so it was a bit odd for me.
From the control panel, we do domain validation to prove that we own a specific web domain or domains (e.g. bigfont.ca). After that, we can exchange a Certificate Signing Request for an SSL Certificate that works for any domains we own.
The OpenSSL part of this process lets us create a encrypted key, which becomes a decrypted key, which becomes the certificate signing request (CSR) that we exchange for the SSL Certificate.
In order to upload the SSL Certificate to Microsoft Azure, we need to wrap the SSL Certificate into a Personal Information Exchange File. The last steps are to upload it, bind it to the domain (an easy step to forget), and test to make sure it all works.
If you’re anything like me, the following will take you about three hours.
Steps in the process
Authenticate: get an Authentication Certificate for StartSSL
Go to the StartSSL home page. If this is your first time using StartSSL, then you will need to sign-up. If you’ve already done that and have saved your Client Authentication Certificate, then you’ll need to import it into your web browser and Authenticate. This lets us access the StartSSL control panel. That is, it takes the place of username/password authentication. A Client Authentication Certificate is a personal certificate that we import into our browser. Most people I know have never before done this.
Validate: do domain validation at StartSSL for each domain we want to secure.
This is the step-by-step process of verifying domain ownership that we use.
- StartSSL > Control Panel > Validation Wizard > Domain Name Validation.
- Choose a domain to verify and choose an email with which to verify it.
You’ll only get to choose from emails that StartSSL thinks belong to the owner of the domain. One of these will be the registrant contact e-mail that’s on record at the domain service provider (DSP). Since our DSP is Namespro, we can change this email as follows:
- Namespro.ca > Login > My Domains.
- Find domain and click on its registrant.
- The appropriate e-mail will be under “registrant contact.”
- Wait a while for the configuration to propagate thru the Internet and then try domain validation.
Create Certificate Signing Request: use OpenSSL to generate a Certificate Signing Request (CSR)
If we’re renewing an SSL Certificate and if we saved last years CSR, then we can skip this step and use the CSR that we created last year. If we need to create a new CRS, it’s possible to create it from within StartSSL instead of using OpenSSL. Here’s how to do it with OpenSSL because that’s our preference. This command generates a private key and a certificate signing request.
openssl req -new -keyout bigfont.key -out bigfont.csr -newkey rsa:2048
What it technically means:
-nodesdon’t do DES encryption on the output key
-keyoutsend the private key to this file
-outoutput file for the CSR.
-newkey rsa:<bits>generate a new RSA key of bits size
What it means in friendly language:
- request a new, unencrypted private key, saved to bigfont.key and,
- request a certificate signing request saved to bigfont.csr.
OpenSSL will create both items (the private key and the signing request) in the command line’s current directory.
Request Certificate: Convert the CSR into an SSL Certificate at StartSSL
Note: Turn off pop-up blockers before proceeding. In Firefox 34, this is Options > Content > Block popup windows. Then proceed as follows:
- StartSSL > Control Panel > Certificates Wizard.
- Choose Web Server SSL/TLS Certificate.
- Skip the first step (generate private key) if you used OpenSSL to generate the private key and CSR.
- Follow the remaining onscreen instructions.
- If at any point a Continue button does nothing, then restart the Certificates Wizard. That sometimes happens.
- When choosing a subdomain, a good bet is to choose
- You’ll know your finished when you have a file named
- If you ever again need to retrieve the certificate, go to StartSSL > Control Panel > Toolbox > Retrieve Certificate
Wrap in PFX File: Use OpenSSL to convert the SSL Certificate into a Personal Information Exchange File
The PFX file is what the Azure Web App wants us to upload. Here’s how to get one of those.
- StartSSL > Control Panel > Toolbox > StartCom CA Certificates
- Click Class 1 Intermediate Server CA.
- This will download a
- Use the OpenSSL pkcs12 utility to convert the
ssl.crtfile into a
.pfxfile. You need the passphrase for your encrypted key (
-inkey) and to come up with a password for your
.pfxfile. Be sure to save both of these somewhere safe!
openssl pkcs12 -export -in bigfont.crt -inkey bigfont.key -certfile sub.class1.server.ca.pem -out bigfont.pfx -password pass:something
What it technically means:
pkcs12The OpenSSL utility for creating
.pfxfile rather than parsing an existing one.
-inThe file from which to read the certificate.
-inkeyThe file from which to read the private key.
-certfileThe file from which to read additional certificates.
-outThe file to which to write certificate and private keys.
-passwordThe passphrase with which to encrypt the outputted
Upload to Azure & Bind: This is how to configure the certificate with the Azure Web App
- From the Azure Web App Dashboard for your site…
- Go to configure > certificates > upload a certificate.
- Find the newly created
- Enter its password (that you created in the last step.)
- The upload will complete .
- From the Azure Web App Dashboard for your site…
- Go to configure > ssl bindings
- Choose the newly uploaded certificate.
Note: we cannot delete a previous certificate until we’ve unbound it from the domain name.
Test: Make sure the remote certificate works
We can use the OpenSSL s_client to test the certificate from PowerShell or the command line as follows:
openssl s_client -connect www.bigfont.ca:443
The notes section of the s_client docs talks about using this utility to debug/test SSL certificates.
There are also several online SSL checkers online. Here are a few that we have tried (listing here is NOT an endorsement):
As of today (July 2015) we’ve only obtained a B-rating at the above test sites. Maybe someday we’ll determine how to obtain an A.
Appendix 1: List of files that result from the above steps (back these up on a USB stick for safe keeping!)
After creating an SSL certificate with StartSSL and after having uploaded it to a Windows Azure Website, I had the following files saved on my USB stick for safe keeping.
- bigfont.ca-encrypted.key This is an encrypted private key, which we use to transfer our private key securely e.g. across a network.
- bigfont.ca-decrypted.key This is the same private key, but decrypted, with which we can create a certificate signing request.
- bigfont.ca.crt This is the SSL certificate (aka public key) which SmartSSL provides in response to our CSR. Note that a .CRT file is equivalent to a .CER file.
- bigfont.ca.csr This is the certificate signing request. We send it to StartSSL to request an SSL certificate.
- bigfont.ca.pfx This is the personal information exchange file, which we created from our SSL Certificate, and which we upload to Azure.
- StartSsl-AuthenticationCertificate-backup.p12. This is a the StartSSL Authentication Certificate backup that we use to access the control panel.
- sub.class1.server.ca.pem. This is the Intermediate Server Certificate that we need to roll into our PFX before uploading it to the Azure Website.
I also stored the following passwords/phrases in a safe place.
- The pfx export password.
- The p12 export password.
- The encrypted key private pass phrase.
Appendix 2: An example Certificate Signing Request
Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:British Columbia Locality Name (eg, city) :Salt Spring Island Organization Name (eg, company) [Internet Widgits Pty Ltd]:BigFont Technology Organizational Unit Name (eg, section) : . Common Name (e.g. server FQDN or YOUR name) :www.bigfont.ca Email Address :[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : my$super&strong&*passphrase An optional company name :BigFont Technology
- http://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate The first section has a subsection that explains how to use OpenSSL to get a certificate.
- http://www.troyhunt.com/2013/09/the-complete-guide-to-loading-free-ssl.html This is an extremely useful resource. Step 4 is all about requesting an SSL cert from SmartSSL. Unfortunately, he does NOT cover how to register with SmartSSL
- https://www.madboa.com/geek/openssl/#intro-commands Explains how to view help for OpenSSL commands
- http://stackoverflow.com/questions/642284/apache-with-ssl-how-to-convert-cer-to-crt-certificates Equivalence of CER and CRT files