23rd November 2017 Tuts Post

Creating PFX Certificate Files and installing SSL Certificates on your Microsoft Azure Web App Service

If you don’t know much about HTTPS, SSL, CSR, PFX, CRT, P7B and manage a Cloud Hosting Infrastructure, such as Azure, then you may find it confusing when asked to supply .pfx files to bind and secure your application. I’ve created this tutorial to help, and hopefully answer, questions you may have in relation to this type of process. How to create a .pfx file for Microsoft Azure?

Microsoft Azure is a very powerful cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through a global network of Microsoft-managed data centres. Microsoft initially released Azure in 2010, and since has grown massively and is continuing to grow and change every single day.

1. Generating a Certificate Signing Request (CSR)

The nature in which Azure is build on (a cloud service), means that the CSR and private key cannot be generated on the “cloud” server. Instead, we need to use our own physical, or virtual machine. I’m a daily Mac user, so like to use a ‘Windows 10’ virtual machine to perform this type of task.

Open the Windows application Internet Information Services (IIS) and select ‘Server Certificates’ within the root ‘Connections’ tree list. Over on the right within the ‘Actions’ panel, select ‘Create Certificate Request’ - continue following the onscreen instructions until you have saved and opened up your TXT file in front of you.

Certificate CSR Example

2. Submitting CSR to a Certificate Authority (CA)

Once you have purchased an SSL certificate for you preferred CA, you’ll be required to submit your CSR into their system. Every CA will have a slightly different process to follow, but it should be faily simple...

Now that you’ve submitted your CSR, you will likely be required to complete some kind of ‘Domain Access Verification’. This is normaly achieved by adding a TXT record into the domain’s DNS, in which you are purchasing and applying the SSL against.

BUT I want to create a PFX for an existing SSL certificate - That’s cool. Instead of buying a new SSL, you'll just need to ‘Rekey’ your existing certificate. You can do this by re-submitting a new CSR to the CA. Every CA have different methods, but it should still a simple process.

Complete CSR

3. Downloading and Importing Certificate

Now that you have successfully completed all the domain verification processes, you will now be able to download your certificate files. Some CA's allow you to do this in a number of different formats (Exchange, Apache, ISS, etx). It’s normally good practice to download the files for the method you used to create the CSR, therefor I will be downloading the files for IIS.

After downloading, extract the ZIPPED files onto your Desktop. Back within IIS, under the ‘Actions’ panel as before, select ‘Complete Certificate Request’. Located and select the certificate file (.crt) which you download within the ZIPPED file, enter a recognisable and friendly name and click ‘Ok’.

4. Exporting PFX ready for Azure

You should now be able to see your imported certificate within the IIS ‘Server Certificates’ list. Let’s move onto exporting the all important and required PFX file for Azure.

Open up console by typing ‘mmc’ into ‘Run’ (Windows + R). Within the console, click ‘File’ and ‘Add/Remove Snap-ins…’.  Select and add ‘Certificates’, choosing to manage for ‘Computer Accounts’ during the process.

After loading the ‘Certificates’ Snap-in, within the console tree list, expand ‘Certificates > Personal > Certificates’. You should now see your certificate listed. Right Click the certificate, and Select ‘All Tasks > Export…’. During the process, make sure that you select ‘Yes’ when asked to export the private key and that the following options are selected - ensure that the option ‘Delete the private key if the export is successful’ is UNSELECTED ...otherwise this whole process is a waste of time :)

NOTE: During the process, ensure that you give your exported PFX a strong password. But remember to write it down as you’ll need to when you import into Azure.

Export PFX file SSL

5. Importing PFX into Azure

Congratulation! Now that you have your PFX file ready and waiting, we can now import straight into Azure.

Sign into your Azure account, select the App you wish to apply the SSL against and open ‘SSL Certificates’. Select ‘Upload Certificate’ and browse for the PFX (.pfx) file you created, making sure you enter your strong password - and finally finish by clicking ‘Upload’.

Import PFX into Microsoft Azure

You can now continue to add SSL Binding to your web app, or apps if you have a wildcard, to enable your site to use the certificate and load as HTTPS - well done :)

Credits: Photography  by John Salvino on Unsplash