At GoldMail, all of our WCF services have https endpoints. How do you do this? First, you need a domain. Then you need to CNAME what your service URL will be to your Azure service. For example, my domain is goldmail.com, and I have CNAMEd robintest.goldmail.com to robintest.cloudapp.net.
Next, you need a real SSL certificate from a Certificate Authority like VeriSign, purchased for your domain. A self-signed certificate won’t work. A certificate from a CA validates that you are who you say you are, and somebody visiting that domain can be sure it is you. You can buy an SSL certificate that is just for yourcompany.com, but if you buy one that is *.yourcompany.com, you can use it for mywebapp.mycompany.com, myotherwebapp.mycompany.com, myservice.mycompany.com, iworktoomuch.mycompany.com, etc., like mine noted above is robintest.goldmail.com.
Next, you need to upload the certificate to the Azure portal for the cloud service you are going to use to host the Azure web role. Then you need to assign the certificate to the web role and set up an https endpoint in the Azure configuration in Visual Studio.
I’m assuming you have already set up a Windows Azure account and defined your service. So let’s see how to upload the certificate to the portal.
First, install the SSL certificate in your computer’s certificate list by double-clicking on the certificate file. Just take the defaults when importing the certificate, and it should end up in the Personal list. By default, this ends up under your certificate list, not the machine’s certificate list. However, Visual Studio will only browse to the machine’s certificate list when adding the certificate to the Azure configuration. But no worries, you only need the thumbprint from the certificate in order to add it. The following steps will show how to get the thumbprint.
Click start and in the search box type in “certmgr.msc”. This will bring up the certificate manager for your user account.
Double-click on Personal, and then click on the Certificates folder under Personal. You should see your SSL certificate in the list. Double-click on it, and a screen will come up showing the properties. In the Details tab, there is an entry close to the bottom called “Thumbprint”. Click on this, then copy the value out of the bottom window and save it somewhere. Delete the spaces out of the alpha numeric pairs and change lowercase letters to uppercase letters, so instead of “1f b4 36 a7…” you have “1FB436A7…”
Now go to http://manage.windowsazure.com and log in.
Click on Cloud Services, and you will see a list of the services you have set up. Click on the service you want to add the certificate to.
At the bottom of the screen, click on the Upload icon. This will show the following upload dialog:
Browse on your computer to select the certificate file. Then enter the password for the certificate and click on the checkbox in the bottom right-hand corner of the screen to upload the certificate. You should now see your certificate in the list.
Now let’s set up the https endpoint for our certificate. I’m going to take the Customer Services project that I created at the San Diego Code Camp last week and change the endpoint from HTTP to HTTPS. This project has a web role and a worker role.
Open the Visual Studio solution for your Azure project and double-click on the web role under Roles under your cloud project to open the project properties, and go to the certificates tab.
For the name, fill in anything you want to, preferably something that makes sense, although you can call your certificate George if you like. I’ve used “GoldMailSSL”. Leave “Store Location” set to “Local Machine” and “Store Name” to “My”. Remember that thumbprint value that you edited the spaces out of and changed to uppercase? Paste it into the Thumbprint field. It should be something like “3EF52D…”.
Now your cloud project has an SSL certificate you can use. Click on the Endpoints tab on the left. I’ve changed the name of the endpoint to https_in, but you don’t have to. (Default names drive me nuts.) Change the protocol to https, change the public port to 443, and select your certificate from the SSL Certificate Name dropdown list. When you’re done, you should see something like this:
If your web role is a WCF service, you might also need to modify the web.config file. For the HTTP service I created in the Azure for Developers talk, the configuration information for the WCF service looks like this:
<system.serviceModel> <behaviors> <serviceBehaviors> <behavior> <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment --> <serviceMetadata httpGetEnabled="true"/> <!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information --> <serviceDebug includeExceptionDetailInFaults="false"/> </behavior> </serviceBehaviors> </behaviors> <serviceHostingEnvironment multipleSiteBindingsEnabled="true" /> </system.serviceModel>
For the service to support https, I need to define the binding and set the security mode for SSL. I can’t install certificates on the customer computers, so I am using Transport security with no client credentials. I also need to change httpGetEnabled to httpsGetEnabled. My default behavior configuration is still okay though. So after making these changes, I have this:
<system.serviceModel> <services> <service name="CustomerServicesWebRole.CustomerServices"> <endpoint address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="CustomerServicesWebRole.ICustomerServices"> </endpoint> </service> </services> <bindings> <basicHttpBinding> <binding name="secureHttpBinding"> <security mode="Transport"> <transport clientCredentialType="None" /> </security> </binding> </basicHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior> <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment --> <serviceMetadata httpsGetEnabled="true"/> <!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information --> <serviceDebug includeExceptionDetailInFaults="false"/> </behavior> </serviceBehaviors> </behaviors> <serviceHostingEnvironment multipleSiteBindingsEnabled="true" /> </system.serviceModel>
Now my service will only allow https endpoints, and the client will be able to get a service reference using https.
Tags: Windows Azure HTTPs