How do I deploy a certificate to the Trusted People store in Azure?

StackOverflow https://stackoverflow.com/questions/14940407

Question

How can I get a public key certificate deployed to my Worker Role's Trusted People store?

I'm using PeerTrust for WCF (self-hosted TCP services in Azure):

var creds = new ServiceCredentials();
creds.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerTrust;

I know how to reference the certificate both in my .csdef and in code. However, I don't know how to take a .cer file (with no private key) and actually get it into Azure so it can use it for PeerTrust. The Certificates manager in the online Portal only allow you to upload .pfx files (i.e. certificates with the private keys).

Was it helpful?

Solution

I'm just thinking if you can install the CER from your code when your role was started by using System.Security.Cryptography.X509Certificates.X509Store and System.Security.Cryptography.X509Certificates.X509Certificates2. You can include your CER into your project with "Copy to Output Directory = Copy always".

OTHER TIPS

Perhaps this wasn't always the case, but it's currently possible to do this without any custom work at all. Simply edit your service's .csdef (cloud service definition) file to include the following - or, if using Visual Studio, use the worker role's properties panel:

<?xml version="1.0" encoding="utf-8"?>
<ServiceDefinition name="MyService" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition" schemaVersion="2013-10.2.2">
  <WorkerRole name="MyService.Backend" ... >
    <Certificates>
      <Certificate name="backend.example.com.selfsigned" storeLocation="LocalMachine" storeName="My" />
      <Certificate name="frontend.example.com.selfsigned" storeLocation="LocalMachine" storeName="TrustedPeople" />
    </Certificates>
    <Endpoints>
      <InternalEndpoint name="Internal" protocol="tcp" port="..." />
    </Endpoints>
    ...
  </WorkerRole>
  <WebRole name="MyService.Frontend" ... >
    <Sites>
      <Site name="Web">
        <Bindings>
          <Binding name="WebsitePublicEndpoint" endpointName="Insecure" />
          <Binding name="WebsitePublicEndpoint" endpointName="Secure" />
        </Bindings>
      </Site>
    </Sites>
    <Endpoints>
      <InputEndpoint name="Insecure" protocol="http" port="80" />
      <InputEndpoint name="Secure" protocol="https" port="443" certificate="example.com" />
    </Endpoints>
    <Certificates>
      <Certificate name="backend.example.com" storeLocation="LocalMachine" storeName="TrustedPeople" />
      <Certificate name="frontend.example.com" storeLocation="LocalMachine" storeName="My" />
      <Certificate name="example.com" storeLocation="LocalMachine" storeName="My" />
    </Certificates>
    ...
  </WebRole>
</ServiceDefinition>

See also this forum thread and the worker role service definition file schema documentation.

Also, the Azure portal now supports uploading .cer (public-key-only) certificate files. You may have to change the Open File dialog's selection filter - by default it's set to look for .pfx files only.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top