Securing Azure Web Role using SSL Certificate

Tweet

When we consider about security for an Azure Web Role, the first thing will come to our mind is to enable the SSL protocol to the role. So the application can be accessible only using https endpoint https://sslwebrole.cloudapp.net.

Before going for an actual implementation on a web role it is better to understand how this SSL securing our application.

When we use net banking or do shopping from any online portal (such as amezon.com ebay.com etc.,), you will be providing sensitive data such as account no, credit/debit card number, password etc. When transferring the data in plain text (what actually you are typing) from your browser to the server, the data can be theft by someone and know all your sensitive data and stole your money without your knowledge. So the communication between the browser (client) and the web server (server) much be in such a way some one should not thief and if happen the data should not available as given in input.

By enabling SSL protocol communication, the data transfer between client and server is done securely by encrypting the data before sending on the wire and decrypting when received other end. So the data on the wire will always be encrypted.

For implementing SSL for applications, it required a valid certificate. So the browser ensure the client which connects the actual site and not to any other sites. It also used for encrypting and decrypting the data in both the end.

For more understanding on how does the SSL works, please look the following url
http://www.ourshop.com/resources/ssl.html.

Steps for enabling SSL for Azure Web Role:

Step 1: Create an Azure Web Role in Visual Studio and make ready for normal deployment.

Step 2: Create a Self-Signed Certificate.

As we already seen previously, we required a valid certificate for enabling SSL. We can create self-signed certificate by using makecert.exe command or using IIS manager. But this certificate created can be used only for development and testing purpose. For production use, we must purchase a valid certificate from any of the SSL Certificate provides such as Verisign, Thawte, InstantSSL, Entrust, Cybertrust, Geotrust, Go Daddy.

For Creating Self-Signed Certificate using makecert.exe command

1. Open the Visual Studio Command Prompt.
2. Create a Self-Signed Certificate using the below command line
   

   makecert -r -pe -n "CN=sslwebrole.cloudapp.net" -b 01/01/2010 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

   The CN attribute takes the name of the certificate. You can give any understandable name or replace the hosting service name instead of sslwebrole in this command.
   
   
   
   This command will create a self-signed certificate in IIS manager.
3. To verify whether the certificate created, open the IIS manager using inetmgr command in Start->Run window.
   
   
   
   
   
4. Select the IIS Server name in the Connection panel and select the Server Certificates from the IIS section on center of the screen.
   
   
   
   
   
5. If the certificate is successfully created, a certificate will be listed under the Server Certificate section (middle of the section) with the name provided.
   
   
   

For Creating Self-Signed Certificate using IIS Manager

1. Open IIS Manager by running inetmgr command in Start->Run.
2. Select the IIS Server name in the Connection panel and select the Server Certificates from the IIS section on center of the screen.
3. Select the Create Self-Signed Certificate… hyperlink from the Actions panel.
   
   
   
   
   It will open a Create Self-Signed Certificate window for creating certificate.
   
4. Input the name of the certificate. You can provide name like sslwebrole.cloudapp.net (replace sslwebrole to hosting service name).
   
   
   
   
   
5. Click OK. The system will create the certificate and show in the Certificate list.
   
   
   
   
   

Step 3: Export the certificate for uploading to Azure environment

1. Right click the certificate created in Step 2 from the list of server certificate and select the Export menu.
   
   
   
   
   The system will popup an Export Certificate window.
2. Provide the certificate export Path with file name and Password. Press OK.
   
   
   
   
   The system will export the certificate and store it as .pfx file in the specified path.

Step 4: Enabling SSL for the Web Role

1. Switch to Azure Project and get the property page for the Web Role.
   
   
   
   
   
2. In the Property page, select the Certificate tab and press the Add Certificate menu for adding a new certificate.
   The Visual Studio will add a new row in the list.
3. Change the name of the certificate from Certificate1 to SSLCert and press the … under the Thumbprint column for selecting the certificate.
   
   
   
   
   Visual Studio will open a Select a Certificate window.
4. Select the certificate and press OK.
   
   
   
   
   If required you can view the certificate using View Certificate button.
   Note: I use Vista OS. If you are using any other OS, the Select a certificate window may be little different.
5. The Thumbprint of the certificate will be populated for the certificate.
   
   
   
   
   
6. Select the Endpoint Tab.
   There will be already one endpoint added in the list with 80 as public port with http protocol. This endpoint makes the application to run in http endpoint. So to make the application run in https endpoint, the endpoint must be changed as defined below -
   
   • Change the Protocol to https
   • Give 443 as Public Port
   • Select the certificate name created before under the SSL Certificate Name column.
   
   
   
   
   

Step 5: Verify the application in local Now the application is SSL Enabled.

We can run the application and verify the output. As the certificate we are using in this implementation is a Self-Signed certificate, we will be getting a warning message as below.

As our application is for only testing the SSL concept, we no need to worry about it. (Normally we can use Self-Signed Certificate for development and testing purpose, but when the application goes to production best to get a valid certificate from any of SSL providers. So the warning message wont be appear.)

Select the Continue to this website (not recommended), and verify the home page.

The application address will be available in https endpoint, but will be getting warning message at the address bar with red color. This is because we are using self-signed certificate, so not to worry for testing.

Now our application is accessible using SSL endpoint. We are ready to deploy to azure.

Step 6: Deploy the application in to Azure environment.

You can deploy the Azure application from Visual Studio or from Management Portal. When deploy the application from Visual Studio make sure you created the hosting service and uploaded the certificate exported in Step 3 under the hosting service in Management Portal.

When deploying the application using Management portal, you can create the hosting service and add the certificate while deploying itself.

In both the ways, it is required to make sure the certificate uploaded to the hosting service before deploying the package.

Step 7: Verify the hosted application

The Management Portal will show http url only as DNS name for the role even it is enabled for SSL. So we required to browse the same url by requesting https endpoint.

For Ex: https://6df726642f8f436aa3b9744b7c308e8f.cloudapp.net for staging or http://sslwebrole.cloudapp.net for production.

download the working copy of the source code here.