Just another site

Using Thawte SSL Certificitates on Azure

with 7 comments

So you have your new website ready to deploy to Azure and you have bought a new SSL certificate to enable HTTPS. If you bought one from Thwate the this post will really help you to install it correctly on Azure.

When we first deployed ours everything looks liked it was working but when we run the SSL checker from Thawte it kept failing on an SSL chain. Here is some useful information on how to set up the SSL chains within your Azure project.

To use your Thwate certificate you actually need your purchased one and 4 others.
One primary and two chains and one which is no longer valid. (yes you have to upload the invalid one and tell windows not to use it).
You can download all of these from Thawte, but to deploy your certificates to Azure they must be in the PFX format. The downloaded ones from Thwate were in .cer format. This means you will need to convert them from .CER to .PFX

Converting certificates from .Cer to .PFX

For your convenience the link below contains the converted public Thwate certificates you need to use with your own certificate. As these are public certificates i decided not to use a strong password, the password is: password

Thawte public certificates

If you downloaded the link above you can skip the below section but if like any good security concious person you said “I’m not trusting your link” here’s what you need to do to convert the .CER files into .PFX.

I had a huge amount of trouble trying to convert the certificates into the PFX format, but after a lot of searching i found a really useful PowerShell script which does it all for you.
In case you have never run a PowerShell script before it’s really simple.
First install PowerShell. If you do not already have it (you can get it here).
Launch the Windows PowerShell ISE from the start menu (use the search function if you can’t find it), it will look something like the blow image:

Copy and paste the following text:

$c = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("D:\certs\Thawte DV SSL CA.cer")
$bytes = $c.Export("Pfx","password")
[System.IO.File]::WriteAllBytes("D:\certs\Thawte DV SSL CA.pfx", $bytes)

Change the file path to one on your machine and the press F5 to run the script.
Your certificate will be converted. Repeat this process for the other 3 certificates and then you can upload these to Azure.
I’m not going to cover how to upload an SSL certificate as there are a great number of website which will show you how to do this.

You will also need to install the certificates on your local machine to include them in your project.
To do this simple right click on the PFX or CER file and click install.
Make sure you put them into your Personnal store so you can select them from within your project.

Adding the Certificates to your Project
Within your project right click on the role and select properties.
Then select the certificates section.
Add the certificates in one by one.
Once you have selected the certificate from your certificate store you will need to make sure it is in the CA store and not the MY store, which is the default.
Your SSL certificate which you bought must be in the MY store though.
If you read earlier with Thawte certificates you will need to disable one of them as it’s no longer in use. (check Thawte site for more details)
To do this simple choose the Disallowed store and this the SSL certificate will be disabled when you deploy your build.
Once you have done this your certificates will look something like the image below:

Alternately you can edit the configuration in code.

Double click on the ServiceConfiguration.cscfg file which will take you to the XML behind the config.
Then add the following lines into the Certificates section

<Certificate name="Thawte DV SSL CA" thumbprint="3CA958F3E7D6837E1C1ACF8B0F6A2E6D487D6762" thumbprintAlgorithm="sha1" />
<Certificate name="thawte Primary Root CA" thumbprint="1fa490d1d4957942cd23545f6e823d0000796ea2" thumbprintAlgorithm="sha1" />
<Certificate name="Thawte Premium Server CA (SHA1)" thumbprint="E0AB059420725493056062023670F7CD2EFC6666" thumbprintAlgorithm="sha1" />
<Certificate name="Thawte Primary Root CA(old)" thumbprint="91c6d6ee3e8ac86384e548c299295c756c817b81" thumbprintAlgorithm="sha1" />

Now double click on your and add the following lines to the Certificates section:

<Certificate name="Thawte DV SSL CA" storeLocation="LocalMachine" storeName="CA" />
<Certificate name="thawte Primary Root CA" storeLocation="LocalMachine" storeName="CA" />
<Certificate name="Thawte Premium Server CA (SHA1)" storeLocation="LocalMachine" storeName="CA" />
<Certificate name="Thawte Primary Root CA(old)" storeLocation="LocalMachine" storeName="Disallowed" />

Now you can deploy you new build and it will now pass the SSL checker.

Written by semicolons and curly braces

October 30, 2011 at 2:34 pm

Posted in Azure

7 Responses

Subscribe to comments with RSS.

  1. Thank you!!! Was struggling for ages with this until I found your article – many thanks.


    November 11, 2011 at 4:47 pm

    • I’m glad you found this post useful. I know it took me a while to resolve the issue so if it saves 1 person the time and hassle it took me then great.

      semicolons and curly braces

      November 12, 2011 at 3:14 pm

  2. this helped me emensly with verisign ev ssl on azure too – i had to disable the old root as well as use your cer to pfx method. thank you!!


    February 15, 2012 at 2:09 pm

  3. Thank you very much. PFX creation is the one I was struggling. You saved me a lot of time, unfortunately I couldn’t find this earlier. :/


    April 3, 2012 at 12:14 pm

  4. Love you


    May 24, 2012 at 7:30 am

  5. […] to command prompt tool.) This information is taken from here. You can refer to semicolonsandcurlybraces link for more information. Special thanks to them, it […]

  6. Somebody essentially assist to make seriously posts I would state.

    This is the very first time I frequented your website
    page and up to now? I amazed with the analysis you made to create this actual submit incredible.
    Wonderful process!

    Buy Ripped XL

    June 27, 2013 at 4:36 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: