Creating a CSR & Installing Your SSL Certificate Using the ÃÛÌÒTV® Certificate Utility for Windows
These instructions assume that you already own your Windows Azure website, and that you have configured the domain name for your website. For more information, visit Microsoft¡¯s Windows Azure page, or contact Microsoft.
If you are looking for Windows Azure cloud services instructions, see Windows Azure Cloud Services: Create CSR & Install SSL Certificate.
For a simpler way to create your CSRs (Certificate Signing Requests) and install and manage your SSL Certificates, we recommend that you use the ÃÛÌÒTV® Certificate Utility for Windows. For more information about our utility, see ÃÛÌÒTV® Certificate Utility for Windows.
-
To create your certificate signing request (CSR), see Windows Azure Website: Creating Your CSR with the ÃÛÌÒTV Utility.
-
To install your SSL Certificate, see Windows Azure Website: Using the ÃÛÌÒTV Utility & Windows Azure to Install Your SSL Certificate.
1. Window Azure Website: Creating Your CSR with the ÃÛÌÒTV Utility
The ÃÛÌÒTV® Certificate Utility for Windows streamlines the CSR creation process. Because, the utility lets you generate the CSR with one click.
Windows Azure Website: How to Create Your CSR with the ÃÛÌÒTV Utility
-
On your Windows server, download and save the ÃÛÌÒTV® Certificate Utility for Windows executable (ÃÛÌÒTVUtil.exe).
-
Run the ÃÛÌÒTV® Certificate Utility for Windows.
Double-click ÃÛÌÒTVUtil.
-
In the ÃÛÌÒTV Certificate Utility for Windows©, click SSL (gold lock), and then, click Create CSR.
-
On the Create CSR page, enter the following information:
Certificate Type: Select SSL. Common Name: Enter the fully qualified domain name (FQDN) (i.e. www.example.com). You may also enter the IP address. Subject Alternative Names: If you are requesting a Multi-Domain (SAN) Certificate, type any SANs that you want to include. (i.e. www.example.com, www.example2.com, and www.example3.net) Organization: Type your company¡¯s legally registered name (i.e. YourCompany, Inc.). Department: (Optional) Enter the department within your organization that you want to appear on the SSL Certificate. City: Type the city where your company is legally located. State: In the drop-down list, select the state where your company is legally located. If your company is located outside the USA, you can type the applicable name in the box. Country: In the drop-down list, select the country where your company is legally located. Key Size: In the drop-down list, select 2048. Provider: In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider, unless you have a specific cryptographic provider. -
Click Generate.
-
On The certificate request has been successfully created page, do one of the following, and then, click Close:
Click Copy CSR. Copies the certificate contents to the clipboard. If you use this option, we recommend that you paste the CSR into a tool such as Notepad. If you forget and copy some other item, you still have access to the CSR, and you do not have to go back and recreate it. Click Save to File. Saves the CSR as a .txt file to the Windows server or workstation. We recommend that you use this option. -
Use a text editor (such as Notepad) to open the file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it into the ÃÛÌÒTV order form.
Ready to Order Your SSL Certificate
Learn More -
After you receive your SSL Certificate from ÃÛÌÒTV, you can install it.
2. Windows Azure Website: Using the ÃÛÌÒTV Utility & Azure to Install Your SSL Certificate
If you have not yet used the ÃÛÌÒTV® Certificate Utility for Windows to create a CSR and ordered your certificate, see Windows Azure Website: Creating Your CSR with the ÃÛÌÒTV Utility.
After receiving your SSL Certificate, you need to install it on your Microsoft server and then, you can configure it for your Windows Azure website.
To install and configure your SSL Certificate, do the following:
-
Use the ÃÛÌÒTV Utility to import your SSL Certificate to your Windows server.
How to Import Your SSL Certificate Using the ÃÛÌÒTV Certificate Utility
-
Use the ÃÛÌÒTV Utility to export your SSL in a .PFX format.
How to Export your SSL Certificate Using the ÃÛÌÒTV Certificate Utility
-
Configure SSL for your Windows Azure website.
i. How to Import Your SSL Certificate Using the ÃÛÌÒTV Certificate Utility
-
On the server where you created the CSR, open the ZIP file containing your SSL Certificate and save the contents of the file (i.e. your_domain_name.cer).
-
Run the ÃÛÌÒTV® Certificate Utility for Windows.
Double-click ÃÛÌÒTVUtil.
-
In ÃÛÌÒTV Certificate Utility for Windows©, click SSL (gold lock) and then, click Import.
-
In the Certificate Import wizard, click Browse to browse to the .cer (i.e. your_domain_com.cer) certificate file that ÃÛÌÒTV sent you, select the file, click Open, and then, click Next.
-
In the Enter a new friendly name or you can accept the default box, enter a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.
We recommend that you add ÃÛÌÒTV and the expiration date to the end of your friendly name, for example: azure.cert-digicert-expiration.date. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
-
To import the SSL Certificate to your server, click Finish.
You should receive a message that the certificate was successfully imported.
-
You should now see your SSL Certificate in the ÃÛÌÒTV Certificate Utility for Windows©, under SSL Certificates.
You are now ready to export your SSL Certificate as a .pfx file.
ii. How to Export Your SSL Certificate Using the ÃÛÌÒTV Certificate Utility
After importing your SSL Certificate to your Microsoft server, you use the ÃÛÌÒTV Certificate Utility to export your SSL Certificate as a .pfx file.
-
Run the ÃÛÌÒTV® Certificate Utility for Windows.
Double-click ÃÛÌÒTVUtil.
-
In ÃÛÌÒTV® Certificate Utility for Windows, click SSL (gold lock), select the SSL Certificate to export to a .pfx file, and then click Export Certificate.
-
In the Certificate Export wizard, select Yes, export the private key, select pfx file, check Include all certificates in the certification path if possible, and then, click Next.
-
In the Password and Confirm Password boxes, enter and confirm your password, and then, click Next.
Note: This password is used when you import the SSL Certificate onto other Windows type servers or other servers or devices that accept a .pfx file.
-
Next, click ¡ to browse for and select the location where you want to save the .pfx file, and then, click Save.
-
To export the SSL Certificate with private key, click Finish.
-
After you receive the "Your certificate and key have been successfully exported" message, click OK.
Your SSL Certificate has been exported as a .pfx file.
iii. How to Configure SSL for Your Windows Azure Website
Once you have the .pfx file, you can use it to configure SSL for your Windows Azure website.
Configuring SSL for Your Windows Azure Website
-
In a browser, open and log into the Windows Azure Management Portal.
-
On the web sites tab, under NAME, select your website.
-
On your website¡¯s page, click CONFIGURE.
-
On the CONFIGURE tab, in the certificates section, under SUBJECT, click upload a certificate.
-
In the Upload a certificate window, under FILE, click BROWSE FOR FILE, and then, browse for and select the .pfx certificate file that you exported using the ÃÛÌÒTV Certificate Utility.
-
In the PASSWORD box, enter the password that you created to export the .pfx file.
-
To upload the SSL Certificate, click the checkmark.
-
On the CONFIGURE tab, under ssl bindings, in the Choose a domain name drop-down list, select the domain name that you want to secure with SSL.
-
In the Choose a certificate drop-down list, select the SSL Certificate that you want to use to secure your website.
-
In the final drop-down list, select one of the following options:
IP SSL
(Traditional Method)IP based SSL associates the SSL Certificate with the domain name. It maps the dedicated public IP address of the server to the domain name. This option requires each domain name (example.com, example1.com) that is associated with your service to have its own dedicated IP address. SNI SSL SNI based SSL allows multiple domains to share one IP address. Each domain has its own SSL Certificate. Most modern browsers support SNI, but some older versions do not. For information on browser support for SNI, see IIS 8 and IIS 8.5 SNI Browser Support. -
Click Save.
Your Microsoft Azure website is now configured to accept secure connections.
IP based SSL and Custom Domain Configured Using an A Record
If you selected IP SSL, and you used an A record to configure your custom domain name, you need to complete these additional steps.
-
Locate the dedicated IP address assigned to your website.
After you used IP based SSL binding to configure SSL for your website, a dedicated IP address was assigned to your website. You can see this IP address, on the Dashboard page of your website, in the quick glance section, under VIRTUAL IP ADDRESS.
This IP address is different from the virtual IP address that was used to configure the A record for you domain.
-
Modify the A record for your custom domain name to point to this IP address.
Use the tools provided by your domain name registrar to make this modification.
Verifying Your Certificate is Configured Correctly
To verify that you correctly configure the SSL Certificate, use https to visit your website.
Test Your Installation
If your website is publicly accessible, our ÃÛÌÒTV® SSL Installation Diagnostics Tool can help you diagnose common problems.
Troubleshooting
If you run into certificate errors, try repairing your certificate trust errors using ÃÛÌÒTV® Certificate Utility for Windows. If this does not fix the errors contact support.