Can Azure Cloud service use a sha256 certificate

Question

We need to update our Azure Cloud service with a brand new cert.

The one I have been given specifies sha256 as the signature hash algorithm.

We previously had one with sha1.

When I tried to update and package of the Azure deployment the error I get states that the thumprint is not valid.

Error 8 The XML specification is not valid: The 'thumbprint' attribute is invalid - The value '‎‎REDACTED' is invalid according to its datatype 'http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration:ThumbprintType' - The Pattern constraint failed.

In the ServiceConfiguration.Cloud.cscfg file, the XML looks like this:

<Certificates>
  <Certificate name="cert" thumbprint="REDACTED" thumbprintAlgorithm="sha1" />
</Certificates>

with the thumprint attribute squiggly lined as the error above.

I've tried thumbprintAlgorithm=256, but this didn't work, presumably not a valid value.

Does it need to be sha1? Can Azure support sha256?

EDIT: I found the following in the service defintion schema, that indicates sha256 is allowed:

<xs:attribute name="thumbprintAlgorithm" type="ThumbprintAlgorithmTypes" use="required">
  <xs:annotation>
    <xs:documentation>
      The hash algorithm that generates a digest of data (or thumbprint)
      for digital signatures such as MD5, SHA1, SHA256. This is different than
      the algorithm used in creating the signature inside the certificate.
    </xs:documentation>
  </xs:annotation>
</xs:attribute>

however, the only type value allowed by the schema is sha1 as follows:

<xs:simpleType name="ThumbprintAlgorithmTypes">
<xs:restriction base="xs:string">
  <xs:enumeration value="sha1">
    <xs:annotation>
      <xs:documentation>
        Algorithm currently used in certmgr.msc to display thumbprint.
      </xs:documentation>
    </xs:annotation>
  </xs:enumeration>
</xs:restriction>

Any ideas? Googling sha256 and that XML node is not getting me far.

Answer 1

http://msdn.microsoft.com/library/azure/gg465718.aspx

According to the link above:

The only thumbprint algorithm currently supported is sha1. If you are not certain which thumbprint algorithm your certificate supports, you can use the certmgr.msc snap in with the Microsoft Management Console (MMC) to inspect the certificate.

I've also seen this error when copy->paste the thumbprint from certmgr.msc into the .cscfg files. This is because non-printable chars are actually copied to the clipboard and pasted into the thumbprint attribute. Removing these chars by putting your cursor just before the first visible character in the hash and backspacing, alleviates the issue.

See:

http://codingfields.com/c-and-windows-azure-lessons-adding-ssl-certs/ http://answers.flyppdevportal.com/categories/azure/azuredevelopment.aspx?ID=8542a464-0d61-4c29-8ac2-3019a39d48a3

Answer 2

Yes, Azure does support certificates that use SHA256.

To clarify, the Azure is looking at the thumbprint algorithm not the signature hash algorithm in the ServiceConfiguration.Cloud.cscfg. The thumbprint is the value used to pull the certificate from the certificate store and is unrelated to the Signature Hash Algorithm.

In the ServiceConfiguration.Cloud.cscfg file, the XML looks like this:

<Certificates>
  <Certificate name="cert" thumbprint="REDACTED" thumbprintAlgorithm="sha1" />
</Certificates>

Notice the above XML in the config specifies the thumbprint algorithm, which is SHA1 even in the case of your certificate that uses SHA256 for Signature Hash Algorithm, if your thumbprint was hashed using SHA256, you would have other schema validation problems because the hash is a different length then SHA1.

Here is a good explanation of the topic as it relates to Azure: http://blogs.msdn.com/b/plankytronixx/archive/2015/04/23/confusion-with-azure-cloud-service-sha1-and-sha256-certificates.aspx