Using Thawte SSL Certificitates on Azure
So you have your new website ready to deploy to Azure and you have bought a new SSL certificate to enable HTTPS. If you bought one from Thwate the this post will really help you to install it correctly on Azure.
When we first deployed ours everything looks liked it was working but when we run the SSL checker from Thawte it kept failing on an SSL chain. Here is some useful information on how to set up the SSL chains within your Azure project.
To use your Thwate certificate you actually need your purchased one and 4 others.
One primary and two chains and one which is no longer valid. (yes you have to upload the invalid one and tell windows not to use it).
You can download all of these from Thawte, but to deploy your certificates to Azure they must be in the PFX format. The downloaded ones from Thwate were in .cer format. This means you will need to convert them from .CER to .PFX
Converting certificates from .Cer to .PFX
For your convenience the link below contains the converted public Thwate certificates you need to use with your own certificate. As these are public certificates i decided not to use a strong password, the password is: password
If you downloaded the link above you can skip the below section but if like any good security concious person you said “I’m not trusting your link” here’s what you need to do to convert the .CER files into .PFX.
I had a huge amount of trouble trying to convert the certificates into the PFX format, but after a lot of searching i found a really useful PowerShell script which does it all for you.
In case you have never run a PowerShell script before it’s really simple.
First install PowerShell. If you do not already have it (you can get it here).
Launch the Windows PowerShell ISE from the start menu (use the search function if you can’t find it), it will look something like the blow image:
Copy and paste the following text:
$c = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("D:\certs\Thawte DV SSL CA.cer")
$bytes = $c.Export("Pfx","password")
[System.IO.File]::WriteAllBytes("D:\certs\Thawte DV SSL CA.pfx", $bytes)
Change the file path to one on your machine and the press F5 to run the script.
Your certificate will be converted. Repeat this process for the other 3 certificates and then you can upload these to Azure.
I’m not going to cover how to upload an SSL certificate as there are a great number of website which will show you how to do this.
You will also need to install the certificates on your local machine to include them in your project.
To do this simple right click on the PFX or CER file and click install.
Make sure you put them into your Personnal store so you can select them from within your project.
Adding the Certificates to your Project
Within your project right click on the role and select properties.
Then select the certificates section.
Add the certificates in one by one.
Once you have selected the certificate from your certificate store you will need to make sure it is in the CA store and not the MY store, which is the default.
Your SSL certificate which you bought must be in the MY store though.
If you read earlier with Thawte certificates you will need to disable one of them as it’s no longer in use. (check Thawte site for more details)
To do this simple choose the Disallowed store and this the SSL certificate will be disabled when you deploy your build.
Once you have done this your certificates will look something like the image below:
Alternately you can edit the configuration in code.
Double click on the ServiceConfiguration.cscfg file which will take you to the XML behind the config.
Then add the following lines into the Certificates section
<Certificate name="Thawte DV SSL CA" thumbprint="3CA958F3E7D6837E1C1ACF8B0F6A2E6D487D6762" thumbprintAlgorithm="sha1" />
<Certificate name="thawte Primary Root CA" thumbprint="1fa490d1d4957942cd23545f6e823d0000796ea2" thumbprintAlgorithm="sha1" />
<Certificate name="Thawte Premium Server CA (SHA1)" thumbprint="E0AB059420725493056062023670F7CD2EFC6666" thumbprintAlgorithm="sha1" />
<Certificate name="Thawte Primary Root CA(old)" thumbprint="91c6d6ee3e8ac86384e548c299295c756c817b81" thumbprintAlgorithm="sha1" />
Now double click on your and add the following lines to the Certificates section:
<Certificate name="Thawte DV SSL CA" storeLocation="LocalMachine" storeName="CA" />
<Certificate name="thawte Primary Root CA" storeLocation="LocalMachine" storeName="CA" />
<Certificate name="Thawte Premium Server CA (SHA1)" storeLocation="LocalMachine" storeName="CA" />
<Certificate name="Thawte Primary Root CA(old)" storeLocation="LocalMachine" storeName="Disallowed" />
Now you can deploy you new build and it will now pass the SSL checker.