The Windows Azure SQL Database Management API requires mutual authentication of certificates. Any valid X.509 v3 certificate can be used. You must first upload a public key certificate (.cer) file to the Windows Azure certificate store, and associate it with a subscription. Then, you attach the matching private key certificate (.pfx) file with the SQL Database Management API request.

If you wish to contribute to this page, use the Edit tab at the top (sign-in required). If you wish to provide feedback for this documentation please either send e-mail to or use the Comment field at the bottom of this page (sign-in required).

Note: The private key is not sent with the request. It is only used for authenticating the request.

Note: Most people use a self-signed server certifcate. You can also use a certificate signed by a certificate authority. 

This article walks you through the process of creating and using a self-signed management certificate.  For more information in general, see Certificates. For more information on service certificates (role certificates), see How to Create a Certficate for a Role.

In This Article

Create a Self-Signed Server Certificate

You can either use Internet Information Services Manager or a command line utility called Certificate Creation Tool (makecert.exe) to create a self-signed Server Certificate.

To create a certificate using inetmgr

  1. Click Start, and then click Run.
  2. Type inetmgr, and then click OK.
  3. In the left pane, click your server name to select it.
  4. In the main pane, double-click Server Certificates under the IIS section.
  5. In the Actions pane, click Create Self-Signed Certificate.
  6. In Specify a friendly name for the certificate, type a friendly name, and then click OK. You shall see a newly created certificate listed in the main pane.
  7. Close IIS Manager.

Using this procedure, the certificate is automatically imported to the local certificate store. For more information on creating a certificate, see Create a Self-Signed Server Certificate in IIS 7.  For information on installing IIS 7, see IIS 7 Installation and Deployment.

MakeCert is available as part of the Windows SDK, which you can download from

To create a certificate using makecert.exe

  1. Open the Visual Studio Command Prompt window as an administrator.
  2. Change the directory to location where you want to save the certificate file.
  3. Type the following command:
    makecert -sky exchange -r -n "CN=<CertificateName>" -pe -a sha1 -len 2048 -ss My "<CertificateName>.cer"
  4. where <CertificateName> is the name that you want to use for the certificate. It must have a .cer extension. The command load the private key into your user store. The -ss My switch indicates your personal store.  In the certmgr.msc, it appears in the path of Certificates -Current User\Personal\Certificates. Check the Issued to column. For more information about using the tool, see Certificate Creation Tool (Makecert.exe).

Export the Certificate

If you created the certficate using makecert.exe, you can use the certificate file.  However, if you created the certificate using IIS Manager, you must export it to a file before you can import it to Windows Azure Certificate Store.

To export the certificate

  1. Click Start, and then click Run.
  2. Type certmgr.msc, and then click OK.
  3. In the left pane, expand Trusted Root Certification Authorities or Personal, and then expand Certificates.
  4. In the main pane, locate the certificate using the Friendly Name column.
  5. Right-click the certificate, poing to All Tasks, and then click Export.
  6. Click Next,
  7. Select No, do not export the private key, and then click Next.
  8. Select DER encoded binary X.509(.CER), and then click Next.
  9. Type the location and the file name for the certificate, and then click Next. The certificate extension is .cer.
  10. Click Finish.

Import the Certificate to Windows Azure Certificate Store

To import the certificate to Windows Azure Certificate Store

  1. Browse to
  2. Sign in to Windows Azure.
  3. In the left pane, click Hosted Services, Storage Accounts & CDN.
  4. In the left pane, click Management Certificates.
  5. From the top menu, click Add Certificate.
  6. From Add New Management Certificate, select a subscription, and select a certificate to import, and then click OK.

Use the APIs

The MSDN provides coding samples for using the SQL Database Management APIs.  For more information, see Management REST API Reference at

When you make an API call, you can use the .cer file instead of .pfx file if the associated certificate is installed in the local certificate store.  When the .cer is added into the webrequest, CLR will automatically search for the associated pfx in the local certificate store.  If the certificate exists, then call will go through, otherwise, it will fail.  You can use an arbitrary value for the password.  However it is not an requirement to import the certificate to the local certificate store.  If the certificate is not in the local certificate store, you much provide the associated .pfx file with the correct password for the .pfx file.