My previous post showed how to use your SSL certificate, set up an HTTPS endpoint for your service, and change your service to use HTTPS. If you now run this service in the Compute Emulator, you will see this:
And you will find if you put a breakpoint in the code of the service, and then try to call it from the client, it won’t let you debug into it because the certificate is invalid.
This was really frustrating for me, because I didn’t want to expose an HTTP endpoint, and I didn’t want to keep changing back and forth between HTTP and HTTPS. There’s always a chance I’ll miss something when changing it back, and we’ll publish it to staging and it won’t work right. (Don’t ask.) So I went looking for a way to get around this restriction.
When you run your service in the compute emulator, Windows Azure creates a certificate for 127.0.0.1 and installs it in the machine certificate store. This certificate is not trusted, which is why you get the security error when running your service locally.
To resolve this problem, you have to take that certificate and either copy it into the Trusted Root Certification store for the local machine, or copy it into your user account’s Trusted Root Certification store. This is a security hole on your computer if you trust any HTTPS websites with any valuable information. For this reason, I installed it in my own certificate store rather than the machine certificate store, so it would only endanger my own data. It also makes it easier to remove and re-install when you need to.
First, you need to export the Windows Azure certificate. Click on start and type in MMC (and hit enter) to bring up the Microsoft Management Console.
Click File, then Add/Remove Snap-In. The Add or Remove Snap-ins screen will be displayed. Click on Certificates and click the Add button in the middle of the screen.
On the Certificates snap-in screen, select Computer account and click Next. You want to look in the machine’s certificate store.
On the “Select Computer” screen, take the default of Local Computer and click Finish.
Next, click OK and you should see the machine certificate store. Open the personal folder and click on Certificates. You should see the 127.0.0.1 certificate here.
Double-click on the certificate to see the properties, then click on the Details tab. This is where you export the certificate to a file so you can upload it to your own account’s certificate store.
To do the export, click on Copy to File at the bottom of the window and click OK. This will bring up the Export wizard. Click Next. Select “Do not export the private key” (your only choice).
Click Next. On this screen, take the default of DER encoded binary X.509 for the certificate file format. This will create a file with the file extension of “.cer”.
Click Next. Browse to a folder you can remember and name the file something like “Azure_Dev_Certificate”. It will append “.cer” to the end. Just take the defaults and finish exporting the certificate.
At this point, you can close the MMC application; you don’t need to save the changes (the added snap-in).
Now go find the certificate file in windows explorer and double-click on it to import it. This will import it into your user account’s certificate store.
Click on “Install Certificate”. This will open the Certificate Import Wizard. Click Next on the first screen and you will be prompted to specify the certificate store to place the certificate in. Do NOT take the default. Instead, select “Place all certificates in the following store” and click on Browse. When the Select Certificate Store screen appears, click on Trusted Root Certification Authorities and then click on OK to select it. Click Next to go to the next step of the import wizard, and then click Finish.
When you click Finish, it will ask you if you are sure, because Windows can not verify that the source of the certificate is valid.
Click on Yes then Continue and you will get a message that the certificate was imported successfully. Now 127.0.0.1 is a trusted root certificate. Now when you run your service, it will come up without the security warning, and you will find that you can debug into the running service with Visual Studio.
To see the certificate, you can click Start and type in certmgr.msc. This will bring up your personal certificate store. Click on Trusted Root Certificate Authorities and then Certificates, and you will now see 127.0.0.1 in the list.
As noted before, this is not terribly secure. The safest thing to do is to go into certmgr and delete the certificate after you’re finished debugging, then add it later when you need to debug again. Another option is to set up another user account on your machine that you only use for debugging HTTPS services (and not for surfing the web), and then you can leave the certificate in the store.