If you're not sure about HTTPS, SSL, CSR, PFX, CRT, P7B and manage a Cloud Hosting Infrastructure, such as Azure, then you may find it confusing when asked to supply .PFX files. Used to bind and secure your web applications.
I've created this tutorial to help, and hopefully answer any questions you may have in relation to this process. So, how do we create a .PFX file for Microsoft Azure?
Azure is a powerful cloud computing service created by Microsoft, for building, testing, deploying, and managing applications and services through a global network of data centres. Microsoft initially released Azure in 2010, and since has exploded, and is continuing to grow and change every single day.
1. Generating a Certificate Signing Request (CSR)
The nature in which Azure is build (a cloud service), means that the CSR and private key cannot be generated on the server. Instead, we need to use our own computer (likely what you're reading this article on), or virtual machine. I’m a daily Mac user, so like to use a ‘Windows 10’ virtual machine to perform this type of task. Open the Windows application Internet Information Services (IIS) and select ‘Server Certificates’ within the root ‘Connections’ tree list. Over on the right within the ‘Actions’ panel, select ‘Create Certificate Request’ - continue following the onscreen instructions until you have saved and opened up your TXT file in front of you.
Find out how to install IIS on your machine at lansweeper.com/knowledgebase/how-to-install-iis/
2. Submitting CSR to a Certificate Authority (CA)
Once you have purchased an SSL certificate at you preferred CA, you’ll be required to submit your CSR into their system. Every CA will have a slightly different process to follow, but it should be fairly simple. Now that you’ve submitted your CSR, you will likely be required to complete some form of ‘Domain Access Verification’. This is normally achieved by adding a TXT record into the domain’s DNS, for which you are purchasing and applying the SSL against. BUT I want to create a PFX for an existing SSL certificate? That’s fine. Instead of buying a new SSL, you'll just need to ‘Rekey’ your existing certificate. You can do this by re-submitting a new CSR to the CA provider. Every CA have different methods, but it should be a simple process.
3. Downloading and Importing Certificate
Now that you have successfully completed all the domain verification processes, you will now be able to download your certificate files. Some CAs allow you to do this in a number of different formats (Exchange, Apache, ISS, etc). It’s normally good practice to download the files for the method you used to create the CSR, therefor I will be downloading the files for IIS. After downloading, extract the ZIPPED (.zip) files onto your Desktop. Jumping back into IIS, under the ‘Actions’ panel as before, select ‘Complete Certificate Request’.
Locate and select the certificate file (.crt) which you download within the ZIPPED (.zip) file. Enter a recognisable and friendly name and click ‘Ok’.
You should now be able to see your imported certificate within the IIS ‘Server Certificates’ list. Let’s move onto exporting the PFX file for Azure.
4. Exporting PFX ready for Azure
Open up console by typing ‘mmc’ into ‘Run’ (Windows + R). In the console, click ‘File’ and ‘Add/Remove Snap-ins…’.
Select and add ‘Certificates’, choosing to manage for ‘Computer Accounts’ during the process. After loading the ‘Certificates’ Snap-in, within the console tree list expand ‘Certificates > Personal > Certificates’. You should now see your certificate listed.
Right Click the certificate and Select ‘All Tasks > Export…’. During the process, make sure that you select ‘Yes’ when asked to export the private key and that the following options are selected - ensure that the option ‘Delete the private key if the export is successful’ is UNSELECTED ... otherwise this whole process is a waste of time.
NOTE: During the process, ensure that you give your exported PFX a strong password. Remember to write that password down, as you’ll need to when you import into Azure.
Congratulation! Now that you have your PFX file ready and waiting, we can now import straight into Azure.
5. Importing the PFX into Azure
Sign into your Azure account, select the App you wish to apply the SSL against and open ‘SSL Certificates’. Select ‘Upload Certificate’ and browse for the PFX (.pfx) file you created, making sure you enter your strong password - and finally finish by clicking ‘Upload’.
You can now continue to add SSL Binding to your web app, or apps if you have a wildcard, to enable your site to use the certificate and load as HTTPS 🎉