How do you access an Azure / IIS certificate directly from Java?

1
votes

From the Azure / Windows side ...

When you follow the steps at http://msdn.microsoft.com/en-us/library/windowsazure/ff795779.aspx#upload with ServiceConfiguration.Cloud.cscfg containing, e.g.

<Certificates>
  <Certificate name="www.myserver.com" 
    thumbprint="ad513653e4560fe4afce5bdac88c744fbcf93525" 
    thumbprintAlgorithm="sha1"/>
</Certificates>

and ServiceDefinition.build.csdef containing, e.g.

<Endpoints>
  <InputEndpoint name="HttpIn" port="80" protocol="tcp" />
  <InputEndpoint name="HttpsIn" protocol="tcp" port="443"/>
</Endpoints>
<Certificates>
  <Certificate name="www.myserver.com" 
    thumbprint="AD513653E4560FE4AFCE5BDAC88C744FBCF93525" 
    thumbprintAlgorithm="sha1" />
</Certificates>

and the certificate with this thumbprint is uploaded via the Azure Platform web console to our Hosted service thenthe certificate is deployed to the Server Certificates in IIS when the Azure instance starts. We can RDP into the instance and see the certificate in the Server Certificates of the IIS console.

From the Java side ...

When you connect to the "Windows-MY" keystore in Java with 

KeyStore keystore = KeyStore.getInstance("Windows-MY");
keystore.load(null, null);

And then look for the keystores available, you do not see this certificate. If we RDP into the Azure instance and manually add the certificate via certmgr.msc then our Java process does see the certificate using the "Windows-MY" keystore.

I see many examples of Java / Azure certificate integration - e.g. http://blogs.msdn.com/b/avkashchauhan/archive/2010/11/07/adding-ssl-https-security-with-tomcat-java-solution-in-windows-azure.aspx - where the certificate is exported to a keystore file which is then deployed with the azure package, but we would like to find a way whereby the Certificate can be managed independently of the package build and using the standard Azure certificate management approach. Note that we don't have access to the certificate that is to be used, since it is managed by another party.

I also see examples of how to get this certificate using .net code - e.g. How can you get a certificate in code on Windows Azure.

How would you access this Azure deployed certificate directly from Java? Is it deployed into another keystore other than "Windows-MY"? Can you access a certificate from the Server Certificates in IIS directly from Java?

Thanks,

Update (20th May)

We got a tip from someone to use the storeLocation="CurrentUser" in the ServiceDefinition.csdef file, which sounded like it should do the job, e.g.

<Certificate name="www.myserver.com" 
  storeLocation="CurrentUser" storeName="My" />

However for some reason Azure does not seem to be deploying the certificate to the CurrentUser store. I only see the certicicate deployed to the server if storeLocation is set to LocalMachine (and as described above) this ends up in the Local Machine certificate store which Java doesn't seem to be able to access

2
javaiisazurecertificatekeystore

2 Answers

1
votes

According to this article there are only Windows-MY and Windows-ROOT as possible certificate store providers for windows. The Azure-managed certificates are stored in the local machines personal certificates and therefore don't seem to be accessible through the Keystore API.

As a workaround you could either try to get the certificate via native apis (e.g. via JNI or jna) or write a wrapper executable (e.g. written in native c++ or .net) which provides the required certificate to your java process.

0
votes

You may be able to do something like the following:

Java access to intermediate CAs from Windows keystores?

In that, they are building a certificate chain with certificates from other stores. So using that, I think you will be able to access the certificate.