Applying real SSL certificate when deploying an application to Windows Azure.

May 16, 2011 at 4:30 PM

Hello,

I would like to check if there is a recommended procedure for getting and applying SSL certificate for a windows phone 7 cloud base application, built using the kit, when deploying it to the actual Windows Azure platform (STG/production). For the real application, we need to have a SSL certificate issued by a trusted authority and supported by WP7 , like GoDaddy, and here is the challenge:

Should we create SSL certificate directly for the Azure service like myservice.cloudapp.net or we should create an additional domain like mysercice.mydomain.com and use CNAME to myservice.cloudapp.net and issue SSL for mysercice.mydomain.com ? I would prefer to apply SSL directly to the Azure service myservice.cloudapp.net, but most of the SSL providers require for us to have access to the domain *.cloudapp.net, which we don’t have, in order to receive an email for validation.

I think, this is (will be) pretty common scenario and I would check the best practices.

 

Thanks,

ivot

May 17, 2011 at 7:18 PM

+1

Dealing with this, in fact.

May 18, 2011 at 8:50 PM

absolutely register your own domain, and get a cert for that domain.

As you said certificate requests will not be approved by services like godaddy for the cloudapp.net domain.

Coordinator
May 18, 2011 at 8:56 PM

Hey guys, thanks for the discussion.  I'm going to put together a wiki article, blog post, and screencast in the next day or two detailing exactly how to accomplish this scenario.  I'll cover using both a self-signed certificate that you deploy into Windows Azure as well as a certificate you purchase for your own domain.

I'll reply here when it's available.

Wade

May 27, 2011 at 4:52 AM
Edited May 27, 2011 at 5:13 AM

So, this is what I did to install a real world certificate (which didnt help my btw...grrr)

 

The first thing of course is to get the certificate. For the sake of this example I'm going to use myhost.mydomain.net.  So, we have a valid SSL certificate for this host.

Second, when creating a hosted service, it is given a name on the cloudapp.net.  For this example I'm going to name this hosted service as wp7demo1, so its fully resolved name is wp7demo1.cloudapp.net

Install your certificate (myhost.mydomain.net) into the Hosted Service Certificates repository.

Next, get into your DNS provider and create a CN record for myhost.mydomain.net that points to wp7demo1.cloudapp.net

Test it using Nslookup, when typing your name should show the cloudapp.net version.  Then, try a telnet to myhost.mydomain.net on port 443 (if that is what you configured anyway). 

If both tests work, then you should now be able to browse to your app using SSL on port 443.

Test https://myhost.mydomain.net/AzureTablesProxy.axd.  Also test https://myhost.mydomain.net. In my case, both work and redirect me to the non SSL version (as they should ????)

source: http://blog.bareweb.eu/2011/01/implementing-windows-azure-custom-domain-names/


 

Now, someone please tell me how to convince my telephone (either emulator or HD7) to recognize the certificate I was issued by StartCom, which Windows, IE9 and Chrome state is valid. Not even "installing" it on the phone works, when browsing to any SSL page on the phone yet IE on the phone still asks for confirmation on the cert's validity, and of course the sample application cannot find the service* grrr.   

* fails on the client at:

App.Phone.ViewModel.LoginPageViewModel ()

public void Login(Action successCallback, Action<string> exceptionCallback)

May 31, 2011 at 7:55 PM

GRRRRR found my issue:

The list of root certificates for WP7 is not the same that Windows has.  It is much more restricted. I was using a cert issued by StartCom (even though they generate them for free, I paid for a higher level grrr).

  • WP7: http://msdn.microsoft.com/en-us/library/gg521150(v=VS.92).aspx   (dated 05/11/2011)
  • Windows: http://social.technet.microsoft.com/wiki/contents/articles/windows-root-certificate-program-members-list-all-cas.aspx

If you deploy a real world solution, make sure to use a CA that is on the WP7 root list (above) or simply will not connect.

This is an important bit of information. Should be quite visible on the documentation so devs make sure to use approved certs.

Now... let's buy *another* SSL cert....grrrr