none
Programmatically add certificate to Azure roles

Answers

  • HI

    You can use Azure REST API for that,

    Please refer to :

    http://msdn.microsoft.com/en-us/library/windowsazure/ee795178.aspx

    Add Service Certificate 

    If you don't know how to use REST API please refer to this example:http://code.msdn.microsoft.com/windowsazure/CSAzureManagementAPI-609fc31a

    Hope it helps.


    Please mark post as answered if it helped!

    Sunday, July 28, 2013 4:21 AM
  • Hi Max,

      >> but See Step 3.6 : manually upload the certs, that is my question: how to upload the certs programmatically ?

    This is where we can use the Add Service Certificate API (http://msdn.microsoft.com/en-us/library/windowsazure/ee460817.aspx). As mentioned earlier, it adds the certificate to the service, not to the subscription. Please give it a try via the provided code sample at http://msdn.microsoft.com/en-us/library/windowsazure/ee460817.aspx :

    public static string AddCertificate(string subscriptionId, string applicationName, X509Certificate2 managementCertificate, string pfxPath, string password)
    {
        // Construct the request URI.    var req = (HttpWebRequest)WebRequest.Create(string.Format("https://management.core.windows.net/{0}/services/hostedservices/{1}/certificates", subscriptionId, applicationName));

        // Set the request method and the content type for the request.
        req.Method = "POST";
        req.ContentType = "application/xml";

        // Add the x-ms-version header.
        req.Headers.Add("x-ms-version", "2009-10-01");

        // Add the certificate.
        req.ClientCertificates.Add(managementCertificate);

        // Construct the request body.
        using (var writer = new StreamWriter(req.GetRequestStream()))
        {
            writer.Write(string.Format(@"<?xml version=""1.0"" encoding=""utf-8""?>
                                       <CertificateFile xmlns=""http://schemas.microsoft.com/windowsazure"">
                                       <Data>{0}</Data>
                                       <CertificateFormat>pfx</CertificateFormat>
                                       <Password>{1}</Password>
                                       </CertificateFile>",
                                       Convert.ToBase64String(File.ReadAllBytes(pfxPath)),
                                       password));
        }

        // Submit the request and return the request ID.
        return req.GetResponse().Headers["x-ms-request-id"];
    }

    There're two certificates involved in the above code. The highlighted 'managementCertificate' parameter in this function is Azure Management Certificate, the highlighted method - File.ReadAllBytes(pfxPath) in this function, act as 'uploading a service certificate' feature you mentioned, we need to provide a local path of the certificate that needed to be uploaded.

    Best Regards,

    Ming Xu


    Ming Xu
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.


    Wednesday, July 31, 2013 6:32 AM

All replies

  • HI

    You can use Azure REST API for that,

    Please refer to :

    http://msdn.microsoft.com/en-us/library/windowsazure/ee795178.aspx

    Add Service Certificate 

    If you don't know how to use REST API please refer to this example:http://code.msdn.microsoft.com/windowsazure/CSAzureManagementAPI-609fc31a

    Hope it helps.


    Please mark post as answered if it helped!

    Sunday, July 28, 2013 4:21 AM
  • thanks for your reply, but I said "note I am NOT talking about upload certs to subscription".. this REST API is upload certs to your subscription level, and I already have code working w/ this API. but I want to add certs under web role

    Max

    Sunday, July 28, 2013 5:08 AM
  • Hi Max,

      >> but I said "note I am NOT talking about upload certs to subscription".. this REST API is upload certs to your subscription level

    Based on my understanding, the API pointed out by Yuan(Add Service Certificate) is used to upload service certificates, not management certificates. Actually, this API alone is insufficient for achieving the goal you mentioned, to use the newly updated certificate in a cloud service, it is needed to modify the csdef and cscfg files, which requires to redeploy the cloud service. And this can also be done programmatically, for example, first use any I/O or xml API to modify the csdef and cscfg files, and then delete and create the deployment using management API. Delete deployment: http://msdn.microsoft.com/en-us/library/windowsazure/ee460815.aspx. Create deployment: http://msdn.microsoft.com/en-us/library/windowsazure/ee460813.aspx. Please note we can't simply upgrade a deployment because the csdef file is changed.

    Best Regards,

    Ming Xu


    Ming Xu
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Monday, July 29, 2013 2:42 AM
  • Thanks Ming for your response. 

    we have web role w/ SSL already working in Azure, deployed via azure portal manually, including manually upload the certs, so cscfg and csdef files are all fine. my question is very simple: how to upload web role own certs for SSL programmatically.

    Thanks

    -Max



    Max

    Monday, July 29, 2013 5:21 AM
  • Hi Max,

      >> my question is very simple: how to upload web role own certs for SSL programmatically.

    From your statement we can deduce that the issue lies with web role's certificate, I'd like to point out that a web role does not use its own certificate. To enable SSL, it is needed to create an input endpoint, which uses the service certificate. And this is done in the csdef and cscfg files. Please refer to http://www.windowsazure.com/en-us/develop/net/common-tasks/enable-ssl/ for more information. As to programming, please follow below steps and see whether it helps:

    1. Use the API (Add Service Certificate) to upload service certificates

    2. Modify the csdef and cscfg files via any I/O or xml API

    3. Redeploy the cloud service programmatically via management API (Delete deployment: http://msdn.microsoft.com/en-us/library/windowsazure/ee460815.aspx. Create deployment: http://msdn.microsoft.com/en-us/library/windowsazure/ee460813.aspx. Please note we can't simply upgrade a deployment because the csdef file is changed.)

    Best Regards,

    Ming Xu


    Ming Xu
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Monday, July 29, 2013 8:43 AM
  • Thanks. Ming

    1. I already have #1 code in place : upload certs at subscription level.

    2. on #3, no problem. the deployment tool already deploy non-SSL roles

     3. the key is #2, modification of cscfg and csdef. there is no documentation I can find in this regard, any info./pointers would be helpful,

    Thanks

    -Max

    Max

    Monday, July 29, 2013 3:50 PM
  • Hi,

      >> the key is #2, modification of cscfg and csdef. there is no documentation I can find in this regard

    You can find the scdef/cscfg schema related to SSL endpoints on http://www.windowsazure.com/en-us/develop/net/common-tasks/enable-ssl/. They're xml files. please first try to do that by editing the files manually in Visual Studio text editor, and deploy the web role using VS tools or the portal to make sure the scenario works. That will guide us to know what xml files are needed to generate. Then you can programmatically using any xml APIs to create the xml files. For example, LINQ to XML: http://msdn.microsoft.com/en-us/library/bb387098.aspx.

    Best Regards,

    Ming Xu


    Ming Xu
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Tuesday, July 30, 2013 2:05 AM
  • Thanks. Ming. as mentioned we deployed SSL web role manually, pretty much following the resource you mentioned : http://www.windowsazure.com/en-us/develop/net/common-tasks/enable-ssl/  but See Step 3.6 : manually upload the certs, that is my question: how to upload the certs programmatically ?


    Max

    Tuesday, July 30, 2013 4:27 PM
  • looks like Azure PowerShell has Cmdlets: Add-AzureCertificate which add certs to azure service, not subscription. I have not tried it yet, a bit work to set up Azure PowerShell environment, but I will. However, if works, it means there is a REST API for it, question is what is it ? or which one among all REST APIs

    Thanks

    -Max


    Max

    Tuesday, July 30, 2013 10:40 PM
  • Hi Max,

      >> but See Step 3.6 : manually upload the certs, that is my question: how to upload the certs programmatically ?

    This is where we can use the Add Service Certificate API (http://msdn.microsoft.com/en-us/library/windowsazure/ee460817.aspx). As mentioned earlier, it adds the certificate to the service, not to the subscription. Please give it a try via the provided code sample at http://msdn.microsoft.com/en-us/library/windowsazure/ee460817.aspx :

    public static string AddCertificate(string subscriptionId, string applicationName, X509Certificate2 managementCertificate, string pfxPath, string password)
    {
        // Construct the request URI.    var req = (HttpWebRequest)WebRequest.Create(string.Format("https://management.core.windows.net/{0}/services/hostedservices/{1}/certificates", subscriptionId, applicationName));

        // Set the request method and the content type for the request.
        req.Method = "POST";
        req.ContentType = "application/xml";

        // Add the x-ms-version header.
        req.Headers.Add("x-ms-version", "2009-10-01");

        // Add the certificate.
        req.ClientCertificates.Add(managementCertificate);

        // Construct the request body.
        using (var writer = new StreamWriter(req.GetRequestStream()))
        {
            writer.Write(string.Format(@"<?xml version=""1.0"" encoding=""utf-8""?>
                                       <CertificateFile xmlns=""http://schemas.microsoft.com/windowsazure"">
                                       <Data>{0}</Data>
                                       <CertificateFormat>pfx</CertificateFormat>
                                       <Password>{1}</Password>
                                       </CertificateFile>",
                                       Convert.ToBase64String(File.ReadAllBytes(pfxPath)),
                                       password));
        }

        // Submit the request and return the request ID.
        return req.GetResponse().Headers["x-ms-request-id"];
    }

    There're two certificates involved in the above code. The highlighted 'managementCertificate' parameter in this function is Azure Management Certificate, the highlighted method - File.ReadAllBytes(pfxPath) in this function, act as 'uploading a service certificate' feature you mentioned, we need to provide a local path of the certificate that needed to be uploaded.

    Best Regards,

    Ming Xu


    Ming Xu
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.


    Wednesday, July 31, 2013 6:32 AM
  • Thanks so much Ming. that API is what I have been looking for. -Max

    Max

    Wednesday, July 31, 2013 8:32 AM
  • Hi Max,

    It is my pleasure. If you have any difficulty in future programming, we welcome you to post in forums again. In addition, I will also mark Yuan's reply as an answer since he has provided useful information.

    Best Regards,

    Ming Xu


    Ming Xu
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Wednesday, July 31, 2013 12:01 PM