Microsoft Azure is a very powerful cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through a global network of Microsoft-managed data centres. Microsoft initially released Azure in 2010, and since has grown massively and is continuing to grow and change every single day.
The nature in which Azure is build on (a cloud service), means that the CSR and private key cannot be generated on the “cloud” server. Instead, we need to use our own physical, or virtual machine. I’m a daily Mac user, so like to use a ‘Windows 10’ virtual machine to perform this type of task.
Open the Windows application Internet Information Services (IIS) and select ‘Server Certificates’ within the root ‘Connections’ tree list. Over on the right within the ‘Actions’ panel, select ‘Create Certificate Request’ - continue following the onscreen instructions until you have saved and opened up your TXT file in front of you.
Once you have purchased an SSL certificate for you preferred CA, you’ll be required to submit your CSR into their system. Every CA will have a slightly different process to follow, but it should be faily simple...
Now that you’ve submitted your CSR, you will likely be required to complete some kind of ‘Domain Access Verification’. This is normaly achieved by adding a TXT record into the domain’s DNS, in which you are purchasing and applying the SSL against.
BUT I want to create a PFX for an existing SSL certificate - That’s cool. Instead of buying a new SSL, you'll just need to ‘Rekey’ your existing certificate. You can do this by re-submitting a new CSR to the CA. Every CA have different methods, but it should still a simple process.
Now that you have successfully completed all the domain verification processes, you will now be able to download your certificate files. Some CA's allow you to do this in a number of different formats (Exchange, Apache, ISS, etx). It’s normally good practice to download the files for the method you used to create the CSR, therefor I will be downloading the files for IIS.
After downloading, extract the ZIPPED files onto your Desktop. Back within IIS, under the ‘Actions’ panel as before, select ‘Complete Certificate Request’. Located and select the certificate file (.crt) which you download within the ZIPPED file, enter a recognisable and friendly name and click ‘Ok’.
You should now be able to see your imported certificate within the IIS ‘Server Certificates’ list. Let’s move onto exporting the all important and required PFX file for Azure.
Open up console by typing ‘mmc’ into ‘Run’ (Windows + R). Within the console, click ‘File’ and ‘Add/Remove Snap-ins…’. Select and add ‘Certificates’, choosing to manage for ‘Computer Accounts’ during the process.
After loading the ‘Certificates’ Snap-in, within the console tree list, expand ‘Certificates > Personal > Certificates’. You should now see your certificate listed. Right Click the certificate, and Select ‘All Tasks > Export…’. During the process, make sure that you select ‘Yes’ when asked to export the private key and that the following options are selected - ensure that the option ‘Delete the private key if the export is successful’ is UNSELECTED ...otherwise this whole process is a waste of time :)
NOTE: During the process, ensure that you give your exported PFX a strong password. But remember to write it down as you’ll need to when you import into Azure.
Congratulation! Now that you have your PFX file ready and waiting, we can now import straight into Azure.
Sign into your Azure account, select the App you wish to apply the SSL against and open ‘SSL Certificates’. Select ‘Upload Certificate’ and browse for the PFX (.pfx) file you created, making sure you enter your strong password - and finally finish by clicking ‘Upload’.
You can now continue to add SSL Binding to your web app, or apps if you have a wildcard, to enable your site to use the certificate and load as HTTPS - well done :)
It can be quite overwhelming when new laws and regulations are introduced, so for you, I’m going to take everything the ICO have said and reduce it into a type of simplified “crash course”. This will hopefully enable others…