The Windows Azure SQL Database Management API requires mutual authentication of certificates. Any valid X.509 v3 certificate can be used. You must first upload a public key certificate (.cer)
file to the Windows Azure certificate store, and associate it with a subscription. Then, you attach the matching private key certificate (.pfx) file with the SQL Database Management API request.
Note: The private key is not sent with the request. It is only used for authenticating the request.
Note: Most people use a self-signed server certifcate. You can also use a certificate signed by a certificate authority.
This article walks you through the process of creating and using a self-signed management certificate. For more information in general, see
Certificates. For more information on service certificates (role certificates), see How to
Create a Certficate for a Role.
In This Article
You can either use Internet Information Services Manager or a command line utility called Certificate Creation Tool (makecert.exe) to create a self-signed Server Certificate.
To create a certificate using inetmgr
Using this procedure, the certificate is automatically imported to the local certificate store. For more information on creating a certificate, see
Create a Self-Signed Server Certificate in IIS 7. For information on installing IIS 7, see
IIS 7 Installation and Deployment.
MakeCert is available as part of the Windows SDK, which you can download from
To create a certificate using makecert.exe
makecert -sky exchange -r -n "CN=<CertificateName>" -pe -a sha1 -len 2048 -ss My "<CertificateName>.cer"
where <CertificateName> is the name that you want to use for the certificate. It must have a .cer extension. The command load the private key into your user store. The -ss My switch indicates your personal store. In the certmgr.msc, it appears in the path
of Certificates -Current User\Personal\Certificates. Check the Issued to column. For more information about using the tool, see
Certificate Creation Tool (Makecert.exe).
If you created the certficate using makecert.exe, you can use the certificate file. However, if you created the certificate using IIS Manager, you must export it to a file before you can import it to Windows Azure Certificate Store.
To export the certificate
To import the certificate to Windows Azure Certificate Store
When you make an API call, you can use the .cer file instead of .pfx file if the associated certificate is installed in the local certificate store. When the .cer is added into the webrequest, CLR will automatically search for the associated pfx in the
local certificate store. If the certificate exists, then call will go through, otherwise, it will fail. You can use an arbitrary value for the password. However it is not an requirement to import the certificate to the local certificate store. If the certificate
is not in the local certificate store, you much provide the associated .pfx file with the correct password for the .pfx file.