Since a while back it’s now possible to add SSL certificates to your own domains on Azure. However, it’s not like a walk in the park to make it work. It all depends on what SSL provider you’re using. I was using GoDaddy and these are the steps I took to configure it all.
Before you go ahead and buy a SSL certificate from GoDaddy, you need to think of what kind of certificate you need. The cheapest one only support one address, i.e.
https://www.mywebsite.com. But what if you also want to enable
https://mywebsite.com or maybe
https://login.mywebsite.com? I chose to buy a certificate that could handle up to 5 different domain name combinations in a single certificate. You can read more about Subject Alternative Names (SAN) here. When using Azure it’s also worth noting that you pay per certificate, not per domain inside the certificate (pricing details).
In my scenario I’m also using GoDaddy as DNS provider and I’ve configured all my variations of the domain names to all lead to the same Azure website.
The process for setting up SSL is as follows:
- Create a Certificate Signing Request (CSR) on the web server
- Send CSR to CA (Certificate Authority – GoDaddy) and specify alternative domain names if you’ve bought that option
- Download certificate from CA
- Import certificate to web server
- Import the intermediate certificates from CA
- Export the certificate as PFX file and give it a password
- Import PFX file into Azure together with password
- Bind configured domain names to the certificate
The first question you might have after reading this list is – what web server? Azure? No, it’s not Azure. For some strange reason, Azure can’t help you with generating the CSR files. Instead you have to create that file yourself! But no panic. It’s quite easy if you have IIS Manager on your computer.
1 – Create the CSR file
When Microsoft goes through how to do these steps they suggest using
Certreq.exe in Windows. I tried it but GoDaddy refused to accept that CSR file. Instead I had to use IIS to make it work. You can read Microsoft’s version of how it should be done here.
Open the IIS Manager by typing
IIS in the search field and click on the shortcut when it shows up. Inside IIS Manager, double-click on
Server Certificates and then on
Create Certificate Request...
In the dialog that comes up you enter your main domain name in the
Common name box and the rest is your company’s information.
On the next page you select
Microsoft RSA SChannel Cryptographic Provider and
2048 (required by Azure). You have a details explanation on what to fill out in each field here.
On the last page you select where to store the CSR file.
2 – Send CSR to GoDaddy
Assuming you’ve bought an SSL Certificate you can now continue to launch the SSL configuration on GoDaddy’s website. In the first step you need to Copy & Paste in the content from the CSR file previously created. If you’ve bought an SSL Certificate with additional domains you can add the other domains (not the main domain you’ve specified in the CSR file). As seen on this picture I have a total of 4 extra domains I can add.
The next step is just to confirm everything. I suggest you copy and paste each of the domain names given here, into a browser to make sure they’ll take you to the right place. It’s not fun if you’ve misspelled one of the domain names by mistake.
The last picture is just a confirmation that the creation process has started. What will happen now is that the administrator of the domain will get an email from GoDaddy with a request if this domain really should have an SSL certificate. The email has a link that needs to be clicked on before the SSL certificate will be created.
3 – download certificate
Very straight forward. Login to GoDaddy’s
Manage Certificate section, select the new certificate (should have status
Current) and click on the
Download button. You’ll then be given the options of what server you will download the certificate for. Select
IIS 7 and
GoDaddy has a good instruction page on how to handle these certificates but since we’re actually going to use Azure and not IIS7 we have to do it a bit differently.
The file you will download is a zip file containing two files. We’ll use both files later on so you can unpack them in a safe location.
4 – import certificate into IIS
We created the CSR in IIS and we’ll also import the final result from GoDaddy into IIS. Under the link in IIS where you created the CSR file, you’ll find a link named
Complete Certificate Request. Click on the link and navigate to the
.crt file. IIS is expecting a
.cer file but by selecting
*.* in the filter box you can find the new one (it came as one of the files inside the downloaded zip file).
You’re also asked for a Friendly name to identify the certificate.
5 – import the intermediate certificates
Now it’s time for the second file we downloaded from GoDaddy. It should have a name similar to
gd-g2_iis_intermediates.p7b. Simply right-click on it and select
Install certificate. Follow the dialog through to install it.
You can read more about this step in section Get a certificate using Certreq.exe under step 7 on this page.
6 – export the certificate as PFX file
Go back into IIS, right-click on the certificate you imported under step 4 and select
Export. In the dialog box that opens up, select path and name of the new
.pfx file you’ll create, as well as a secure password for it. This file should be kept safe together with the other files you’ve downloaded from GoDaddy.
7 – import PFX file into Azure
I tried to do this step in the new Azure portal and it worked well. However, step 8 didn’t work (tried on June 26, 2014), so I had to use the old portal for that.
Domains and SSL and then on the
Upload button. You’ll then be able to browse to your pfx file and to enter your password. Click on
Save when done.
8 – bind configured domain names to the certificate
The final step is to link each configured domain to the certificate. This step I had to do in the old portal. The reason was that Azure needed to ask me if I was aware of the potential extra costs of using a certificate, before it could be approved, and that dialog box never showed up in the new portal. But the steps are the same on the old and the new so no problems.
Now, it should all be up and running for all your configured domains.