So after very very long I have finally got some time to share something. Today I will share how to integrate SSL with Azure Website; trust me it can be a bit of pain to get this working specially if you are quite new to this. So in this article I will explain it with all pictures; which I feel is the best way to explain or learn.
So to try this two things is a must.
- You should have a registered domain. Do not use *.azurewebsites.net for registering SSL since almighty Microsoft provides the SSL support for azurewebsites.net domain. So if you are planning to use *azurewebsites.net then you do not need to have a seperate SSL certificate.
- The SSL Provider we are going to use here i.e RapidSSL send a mail to the domain administrator mail id which is actually a set of email id’s which RapidSSL support. Here is the list of all supported email id’s (email@example.com,firstname.lastname@example.org,
Ok Lets get started not.
First go to the URL www.freessl.com and click on TRY button to try with freessl or you are quite sure to buy it then just buy. I will use the free version which is valid for 1month.
Now on clicking on the TRY button you will get series of forms to be filled for which I have attached the screenshots.
Now this is the point we need to generate the CSR (Certificate Signing Request). We can do it using IIS Manager or OpenSSL as well. But lets use IIS though we would openssl in later stage but for this purpose lets use IIS Manager.
So press start in windows OS and then type IIS; and you will get IIS Manager. If you do not find it then go to Control Panel -> Program Features -> Turn windows features on or off.
So if you find the IIS manager then you just follow these snapshots
Now after you have save this file. Open this file in the Notepad and copy the content and paste it to the freessl website ; here
Now after pressing the submit you follow these
After this you should get a mail on the Domain email id you have selected after clicking the link provided on that you should get your CSR to the registered email address. And if you look at the end of the mail you will see the Web Server certificate. Copy that and save it as myserver.crt. Now right click on this file and press install certificate.
Now we need to generate the .pfx file which is needed to be uploaded to the azure. So lets do that.
First lets get the private key; which we get from teh CSR request we made
On the start serach mmc.exe then File -> Add/Remove SnapIn; select Certificates and then Local Computer.
Now go to folder level Personal -> Certificates and you should find the certificate www.whynotme.com.
Click on next and select yes then again next and select to PKCS #12. and then the location of the file and save it as file name privatekey.pfx
Now we need to generate a .pfx file which is password protected and accepted by Azure website. So lets use OpenSSL to generate this.
We need 3 files for this
- Private Key file
- Web Server Cert from RapidSSL
- Intermediate or Chain Cert as bundle which you can get it here and save it as Intermediate.pem
Now we have the private key as .pfx file but we need .key file to generate the final .pfx file. So lets extract the .key file from privatekey.pfx.
You can get the Open SSL installer from here. INstall it in C:\openssl drive with all its binaries. Open command prompt and type the following
And to generate the .key file
C:\>.\OpenSSL-Win64\bin\openssl.exe pkcs12 -in privatekey.pfx -nocerts -out privatekey.pem
C:\>.\OpenSSL-Win64\bin\openssl.exe rsa -in privatekey.pem -out private.key
Now we have all the files lets generate the final .pfx file which should be uploded to Azure by just running the following command
C:\>.\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -out whynotme_ssl.pfx -inkey private.key -in myserver.crt -certfile intermediate.pem
So the final file which should be uploaded is whynotme_ssl.pfx
Go to your azure website -> Configure; search for Upload Certificate.
In the ssl bindings section of the CONFIGURE tab, use the dropdowns to select the domain name to secure with SSL, and the certificate to use. You may also select whether to use Server Name Indication (SNI) or IP based SSL.
- IP based SSL associates a certificate with a domain name by mapping the dedicated public IP address of the server to the domain name. This requires each domain name (contoso.com, fabricam.com, etc.) associated with your service to have a dedicated IP address. This is the traditional method of associating SSL certificates with a web server.
- SNI based SSL is an extension to SSL and Transport Layer Security (TLS) that allows multiple domains to share the same IP address, with separate security certificates for each domain. Most modern browsers (including Internet Explorer, Chrome, Firefox and Opera) support SNI, however older browsers may not support SNI. For more information on SNI, see the Server Name Indication article on Wikipedia
Click Save to save the changes and enable SSL.
Thats it. Now try https://yourdomain.com
Hope it works for you as it worked for me. Please leave a comment good or bad or improvements all are appreciated.
Reference : Enable HTTPS for an Azure web site