Certificates in Windows Azure

Since Azure requires a heighten level of security, certificates became a key concept. As I was looking into it, I found the management a bit confusing and have seen similar questions popping up in the forums. Hence, the content below tries to give a quick overview of where certificates exist in the Azure portal as well as in Visual Studio and how they map to what you want to accomplish, while at the same time offering links on the subject to help you go into deeper detail.

The first time I saw the “management certificates” node (see top left red circle in figure 1), to me it seemed to say “manage certificates”, where you manage all your Azure certificates; but, this is not the case. For those familiar with certificates this will be clear, since “Management Certificates” are a type of certificates, and yes, this is where they are shown. Once I understood this, then it seem to me that Azure only uses Managed certificates, which is not true. The other type of certificates are called “Service Certificates”, which begs the question, where is the node for those?

Management certificates only contain a public key and their extension is “.cer”. The other type of certificate, the private type, has the additional need of a password to authenticate (beyond what a public certificate already requires). You do not manage those under “Management Certificates” in the Windows Azure Management Portal. The private or service certificates have the “.pfx” extension and, as you will noticed, they cannot be uploaded under “Management Certificates”. They are required when you want to remote into the machine carrying your Azure role (VM, worker or web). This private certificate is uploaded to the “Certificates” folder for the particular Hosted Service in the “Hosted Services” node, as shown below (see left red circle in figure 1). When you select the “Certificates” folder, you will see the “Add Certificates” button in the Management Portal (see top left box in figure 1).

Figure 1: Public vs. Private certificates in Azure

At this point, what got me confused is that in both cases (public and private certificates) the “Add Certificate” button is the same. Except for the small title below the button, the public certificate shows “Certificates” and the private certificate shows “hosted Service Certificate”.

In essence: adding management/public certificates (.cer) is done via the “Management Certificates” tab which can be reused by many of your projects but the service/private certificates (.pfx) go under one of your “Hosted Services”, because they are dedicated to that hosted service only (obviously, for security reasons sharing the same credentials across services would not be recommended).

For further reference, this is the MSDN page that talks about these two types of certificates (but not in the context of the Azure portal).

Using public and private certificates side by side in Visual studio

Just to put in all in context, let’s take the sample of setting up the ability to remote desktop to an Azure role , because it involves two steps that use certificates. After publishing your project (see Figure 2), the first window will require your public certificate (see Figure 3).

Figure 2: publishing

Figure 3: Public certificates in VS

To then allow a remote desktop connection to the role you are about to publish, you will need to click on “Configure Remote Desktop connections…” and specify the private certificate there (see Figure 4). As you will notice only .PFX extension are allowed.