Welcome to Shaun Luttin's public notebook. It contains rough, practical notes. The guiding idea is that, despite what marketing tells us, there are no experts at anything. Sharing our half-baked ideas helps everyone. We're all just muddling thru. Find out more about our work at bigfont.ca.

Using StartSSL with a Windows Azure Website

Tags: ssl, azure, azure-websites, start-ssl, open-ssl

> DRAFT

This document is an overview of creating a free SSL certificate for a Windows Azure Web Site. For more details, please refer to the excellent resources at the end of this post. You will need:

The free, out-of-the-box Azure Web Apps come with HTTPS by default, so there’s no need to do anything with the free tier.

Overview of the process

The following is a little bit like walking a tightrope.

When we first register with StartSSL, the website uploads an Authentication Certificate (AC) into our web browser. The AC is a replacement for a username and password; that is, it lets us authenticate and thereby to access the StartSSL control panel. I had never done that before so it was a bit odd for me.

From the control panel, we do domain validation to prove that we own a specific web domain or domains (e.g. bigfont.ca). After that, we can exchange a Certificate Signing Request for an SSL Certificate that works for any domains we own.

The OpenSSL part of this process lets us create a encrypted key, which becomes a decrypted key, which becomes the certificate signing request (CSR) that we exchange for the SSL Certificate.

In order to upload the SSL Certificate to Microsoft Azure,  we need to wrap the SSL Certificate into a Personal Information Exchange File. The last steps are to upload it, bind it to the domain (an easy step to forget), and test to make sure it all works.

If you’re anything like me, the following will take you about three hours. Smile

Steps in the process

Authenticate: get an Authentication Certificate for StartSSL

Go to the StartSSL home page. If this is your first time using StartSSL, then you will need to sign-up. If you’ve already done that and have saved your Client Authentication Certificate, then you’ll need to import it into your web browser and Authenticate. This lets us access the StartSSL control panel. That is, it takes the place of username/password authentication. A Client Authentication Certificate is a personal certificate that we import into our browser. Most people I know have never before done this.

Validate: do domain validation at StartSSL for each domain we want to secure.

This is the step-by-step process of verifying domain ownership that we use.

  • StartSSL > Control Panel > Validation Wizard > Domain Name Validation.
  • Choose a domain to verify and choose an email with which to verify it.

You’ll only get to choose from emails that StartSSL thinks belong to the owner of the domain. One of these will be the registrant contact e-mail that’s on record at the domain service provider (DSP). Since our DSP is Namespro, we can change this email as follows:

  • Namespro.ca > Login > My Domains.
  • Find domain and click on its registrant.
  • The appropriate e-mail will be under “registrant contact.”
  • Wait a while for the configuration to propagate thru the Internet and then try domain validation.

Create Certificate Signing Request: use OpenSSL to generate a Certificate Signing Request (CSR)

If we’re renewing an SSL Certificate and if we saved last years CSR, then we can skip this step and use the CSR that we created last year. If we need to create a new CRS, it’s possible to create it from within StartSSL instead of using OpenSSL. Here’s how to do it with OpenSSL because that’s our preference. This command generates a private key and a certificate signing request.

openssl req -new -keyout bigfont.key -out bigfont.csr -newkey rsa:2048

What it technically means:

  • -new new request
  • -nodes don’t do DES encryption on the output key
  • -keyout send the private key to this file
  • -out output file for the CSR.
  • -newkey rsa:<bits> generate a new RSA key of bits size

What it means in friendly language:

  1. request a new, unencrypted private key, saved to bigfont.key and,
  2. request a certificate signing request saved to bigfont.csr.

OpenSSL will create both items (the private key and the signing request) in the command line’s current directory.

Request Certificate: Convert the CSR into an SSL Certificate at StartSSL

Note: Turn off pop-up blockers before proceeding. In Firefox 34, this is Options > Content > Block popup windows. Then proceed as follows:

  • StartSSL > Control Panel > Certificates Wizard.
  • Choose Web Server SSL/TLS Certificate.
  • Skip the first step (generate private key) if you used OpenSSL to generate the private key and CSR.
  • Follow the remaining onscreen instructions.
    • If at any point a Continue button does nothing, then restart the Certificates Wizard. That sometimes happens. Sad smile
    • When choosing a subdomain, a good bet is to choose www.
    • You’ll know your finished when you have a file named ssl.crt (or named anything.you.want.crt instead.)
  • If you ever again need to retrieve the certificate, go to StartSSL > Control Panel > Toolbox > Retrieve Certificate

Wrap in PFX File: Use OpenSSL to convert the SSL Certificate into a Personal Information Exchange File

The PFX file is what the Azure Web App wants us to upload. Here’s how to get one of those.

  • StartSSL > Control Panel > Toolbox > StartCom CA Certificates
  • Click Class 1 Intermediate Server CA.
  • This will download a .pem file.
  • Use the OpenSSL pkcs12 utility to convert the ssl.crt file into a .pfx file. You need the passphrase for your encrypted key (-inkey) and to come up with a password for your .pfx file. Be sure to save both of these somewhere safe!
openssl
pkcs12 -export -in bigfont.crt -inkey bigfont.key -certfile sub.class1.server.ca.pem -out bigfont.pfx -password pass:something

What it technically means:

  • pkcs12 The OpenSSL utility for creating .pfx files.
  • -export Create a .pfx file rather than parsing an existing one.
  • -in The file from which to read the certificate.
  • -inkey The file from which to read the private key.
  • -certfile The file from which to read additional certificates.
  • -out The file to which to write certificate and private keys.
  • -password The passphrase with which to encrypt the outputted .pfx file.

Upload to Azure & Bind: This is how to configure the certificate with the Azure Web App

Upload

  • From the Azure Web App Dashboard for your site…
  • Go to configure > certificates > upload a certificate.
  • Find the newly created .pfx file.
  • Enter its password (that you created in the last step.)
  • The upload will complete Smile.

Bind

  • From the Azure Web App Dashboard for your site…
  • Go to configure > ssl bindings
  • Choose the newly uploaded certificate.
  • Save.

Note: we cannot delete a previous certificate until we’ve unbound it from the domain name.

Test: Make sure the remote certificate works

We can use the OpenSSL s_client to test the certificate from PowerShell or the command line as follows:

openssl
s_client -connect www.bigfont.ca:443

The notes section of the s_client docs talks about using this utility to debug/test SSL certificates.

There are also several online SSL checkers online. Here are a few that we have tried (listing here is NOT an endorsement):

As of today (July 2015) we’ve only obtained a B-rating at the above test sites. Maybe someday we’ll determine how to obtain an A.

Appendix 1: List of files that result from the above steps (back these up on a USB stick for safe keeping!)

After creating an SSL certificate with StartSSL and after having uploaded it to a Windows Azure Website, I had the following files saved on my USB stick for safe keeping.

  • bigfont.ca-encrypted.key This is an encrypted private key, which we use to transfer our private key securely e.g. across a network.
  • bigfont.ca-decrypted.key This is the same private key, but decrypted, with which we can create a certificate signing request.
  • bigfont.ca.crt This is the SSL certificate (aka public key) which SmartSSL provides in response to our CSR.  Note that a .CRT file is equivalent to a .CER file.
  • bigfont.ca.csr This is the certificate signing request. We send it to StartSSL to request an SSL certificate.
  • bigfont.ca.pfx This is the personal information exchange file, which we created from our SSL Certificate, and which we upload to Azure.
  • StartSsl-AuthenticationCertificate-backup.p12. This is a the StartSSL Authentication Certificate backup that we use to access the control panel.
  • sub.class1.server.ca.pem. This is the Intermediate Server Certificate that we need to roll into our PFX before uploading it to the Azure Website.

I also stored the following passwords/phrases in a safe place.

  • The pfx export password.
  • The p12 export password.
  • The encrypted key private pass phrase.

Appendix 2: An example Certificate Signing Request

Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:British Columbia
Locality Name (eg, city) []:Salt Spring Island
Organization Name (eg, company) [Internet Widgits Pty Ltd]:BigFont Technology
Organizational Unit Name (eg, section) []: .
Common Name (e.g. server FQDN or YOUR name) []:www.bigfont.ca
Email Address []:some@email.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: my$super&strong&*passphrase
An optional company name []:BigFont Technology

Resources