SSL

Provide communication security with SSL for your websites deployed with the CMS Azure package

To allow secure communication for your websites on Microsoft Azure with SSL, in addition to the standard steps for deploying a website with the CMS Azure package, you should:

  1. Prepare and upload a certificate to the cloud service where the web role is or will be running.
  2. Configure the web role to install the uploaded certificate.
  3. Configure the website to use the secure protocol.

Please note that the pre-built service package supports multiple certificates in the web role (up to 10 certificates).

Its service configuration file includes 10 certificate slots, each set to the thumbprint of the default certificate.

<Certificates>
  <Certificate name="CertificateSlot0" thumbprint="8057987CA86216898EE2E06A93DAC725D8F00FE3" thumbprintAlgorithm="sha1" />
  <Certificate name="CertificateSlot1" thumbprint="8057987CA86216898EE2E06A93DAC725D8F00FE3" thumbprintAlgorithm="sha1" />
  <Certificate name="CertificateSlot2" thumbprint="8057987CA86216898EE2E06A93DAC725D8F00FE3" thumbprintAlgorithm="sha1" />
  <Certificate name="CertificateSlot3" thumbprint="8057987CA86216898EE2E06A93DAC725D8F00FE3" thumbprintAlgorithm="sha1" />
  <Certificate name="CertificateSlot4" thumbprint="8057987CA86216898EE2E06A93DAC725D8F00FE3" thumbprintAlgorithm="sha1" />
  <Certificate name="CertificateSlot5" thumbprint="8057987CA86216898EE2E06A93DAC725D8F00FE3" thumbprintAlgorithm="sha1" />
  <Certificate name="CertificateSlot6" thumbprint="8057987CA86216898EE2E06A93DAC725D8F00FE3" thumbprintAlgorithm="sha1" />
  <Certificate name="CertificateSlot7" thumbprint="8057987CA86216898EE2E06A93DAC725D8F00FE3" thumbprintAlgorithm="sha1" />
  <Certificate name="CertificateSlot8" thumbprint="8057987CA86216898EE2E06A93DAC725D8F00FE3" thumbprintAlgorithm="sha1" />
  <Certificate name="CertificateSlot9" thumbprint="8057987CA86216898EE2E06A93DAC725D8F00FE3" thumbprintAlgorithm="sha1" />
</Certificates>
The default certificate and its thumbprint in the configuration serve as a placeholder for real certificates if needed.

If you don’t need SSL in your web role, keep the default certificate settings.

Otherwise, you can overwrite a value for one of the slots and, thus, have the service package install your certificate in the web role. It works both for the already deployed web role and the web role to be deployed.

<Certificates>
	<Certificate name="CertificateSlot0" thumbprint="F182190033077DC6785CFE87FFCA1CD69346DAAA" thumbprintAlgorithm="sha1" />
	<Certificate name="CertificateSlot1" thumbprint="8057987CA86216898EE2E06A93DAC725D8F00FE3" thumbprintAlgorithm="sha1" />
	<!-- … -->
</Certificates>
Let's consider each SSL setup related step in detail.

Uploading a certificate to the cloud service

Before having the certificate installed in the web role, you should prepare and upload a certificate to be used for secure communication (SSL).

Preparing the certificate is up to you and is not part of this guide. The certificate file should be in PFX format.

To upload the certificate to the cloud service:

  1. In Microsoft Azure Portal, open the cloud service in use (All Resources / [your cloud service]).   
  2. Click “Certificates” below “Settings”.
  3. Click “Upload” to upload your certificate.
  4. Browse to, and select, the certificate (.pfx).
  5. Specify the password for it.
  6. Click “Upload” down below.
  7. Make a note of, or copy to the clipboard, its thumbprint (visible on the “Certificates” tab after the certificate has been successfully uploaded.) You'll be using it in the next few steps.

The certificate thumbprint should read something like this: F182190033077DC6785CFE87FFCA1CD69346DAAA

Installing the certificate in the web role

An existing web role

If you have already deployed a web role with the pre-built service package in a cloud service, you can change its configuration via Microsoft Azure Portal to include up to 10 certificates.

This will install the specified certificate in the web role.

To add a new certificate to the configuration of the existing web role:

  1. Make sure you have uploaded the certificate to the cloud service as described above.
  2. In Microsoft Azure Portal, open the cloud service in use (All Resources / [your cloud service]).
  3. Click “Configuration” below “Settings”.
  4. In the “Configuration” view below “Certificates”, locate a free certificate slot (0 to 9). Normally, its Thumbprint value is set to that of the default (“dummy”) certificate that comes with the service package you’ve deployed the web role with.
  5. Replace the Thumbprint value of the default certificate with the thumbprint of your certificate.
  6. Click “Save”.

Note. This will start the process of installing the certificate in the web role and might take some time.

A new web role

You can deploy the web role in a cloud service specifying the thumbprint of your certificate in the service configuration file.

  1. Make sure you have uploaded the certificate to the cloud service as described above.
  2. Edit the service configuration file.
  3. Below <Certificates>, locate a free certificate slot (0 to 9), normally the one set to the default (“dummy”) certificate.
  4. Replace the value in the thumbprint attribute to the thumbprint of your certificate.
  5. Save the changes.

<Certificates>
	<Certificate name="CertificateSlot0" thumbprint="F182190033077DC6785CFE87FFCA1CD69346DAAA" thumbprintAlgorithm="sha1" />
	<Certificate name="CertificateSlot1" thumbprint="8057987CA86216898EE2E06A93DAC725D8F00FE3" thumbprintAlgorithm="sha1" />
	<!-- … -->
</Certificates>
Now deploy the web role with the service package using this configuration file.

Configuring the website to use the secure protocol

Once you’ve uploaded your certificate to the cloud service in use and have it installed in the web role, you are ready to configure the website to use SSL.

While configuring the website uploaded to the blob storage, you should additionally set up bindings to work with the secure protocol. Normally, it means adding a binding with the hostname in use with:

  • the port number used for SSL (443 by default) and
  • the thumbprint (hash) of your certificate

Example:

<Bindings>
    <Binding hostname="contoso.com" />
    <Binding hostname="contoso.com" port="443"
certificateHash="F182190033077DC6785CFE87FFCA1CD69346DAAA" sni="true"/>
</Bindings>

{blob-storage}/{website-container}/Configuration/WebsiteConfiguration.xml