none
azure doesn't load intermediate ssl certs properly

    Question

  • I installed a verisign cert for my simple visual studio website via the azure portal and checked it with verisigns sslchecker. It failed saying the chain was broken (also, browsers would not show the green url). I rdp'd into my azure role instance and manually installed the 2 intermediate certs available on verisigns site and is passed the ssltester and also appears as it should in browsers. This won't work though as we all know instances in the cloud can come and go.

    What do I need to do in the azure portal so that I DON'T have to rpd into the instance and manually load these certs?

    Thursday, February 23, 2012 10:37 PM

All replies

  • You have to install the intermediate certs during deployment through the certificates setting section of the role. See here: http://blogs.msdn.com/b/azuredevsupport/archive/2010/02/24/how-to-install-a-chained-ssl-certificate.aspx


    Developer Security MVP | www.syfuhs.net

    Friday, February 24, 2012 3:24 AM
  • Hi Steve

    That's the article I have been following. When I add the cert to my role in visual studio the only cert that shows up is the site vert (like cloud.mycustomname.com). The intermediate certs do not show as shown in the articles snapshot above step 7. I assume from your comments that this will cause problems as my deployment doesn't seem to reference the intermediate certs.

    Incidentally when I import my cert into azure via the portal it shows the intermediate certs. Any ideas on what I can try next? Thanks in advance!

    John

    Friday, February 24, 2012 1:53 PM
  • The site fails ssl tester because the root g5 cert is not disabled even though and g5 intermediate cert is uploaded to the role. Currently there is not solution for this other than running some script to disable the root g5 script when the instance starts....  Anyone else have this problem? Am I doing something wrong or is the script the only answer.

    Thanks

    John

    Friday, February 24, 2012 6:13 PM
  • Hi John,

    I realize this post is several months old and you might have found a solution, but what I have found is that you need to do a combination of things to install/export the certificate so the chain certificates are embedded properly in the export.

    I have written a blog on https on Windows Azure with chained certificates.  I am in the process updating the blog to include some screenshot and working example, hopefully it will be easier on the eyes (wall of text right now) in a few days.


    • Edited by Peijen Friday, July 20, 2012 6:58 PM
    Wednesday, July 11, 2012 7:29 AM