SSL certificate in my Azure Web Role is “not trusted”

1
votes

I have a GoDaddy SSL certificate installed in my Azure web role. It works for most clients, but some clients complain that the certificate is "not trusted". In particular, I have an Azure Scheduler Job wired up to periodically POST to an https endpoint in my web role, but the POST fails. After some investigation, it turns out that the POST fails because the SSL certificate is "not trusted".

The fact that my SSL certificate is not wired up completely correctly is also verified by examining my domain using this tool:

https://www.digicert.com/help

I understand that many clients (web browsers) have the GoDaddy certificate chain (that is, the "intermediate" certificates that get from my SSL certificate to the GoDaddy root CA) baked into them. But some clients (such as the Azure Scheduler) expect my web server to provide not only my SSL certificate but also all of the intermediate certificates up to the root CA.

How do I include the intermediate certificates in my Azure web role?

Note: I am asking this question with the intent of answering it myself (now that I've struggled for a week to figure it out).

1
azuresslhttps

1 Answers

4
votes

Overview of the answer

You need to manually add the intermediate certificates to the Web role "certificates" (in Visual Studio), and you need to upload the intermediate certificates to your Azure Web Role.

Step 1: Convert the p7b file to a pfx for upload to Azure

This step is derived from this article.

  1. Download your certificate files from GoDaddy. That gets you a zip file that contains a crt file and a p7b file. The crt file contains your SSL certificate, but it's not fully baked until you complete the CSR request. See below for details. The p7b file contains the GoDaddy intermediate certificates.
  2. Complete the CSR request using the crt file. See this SO answer for details.
  3. Open the Windows Certificate Manager (certlm.msc)
  4. Import the p7b file into the Local computer/Intermediate Certifcation Authorities/Certificates node.
  5. Export the SSL certificate and its dependencies as a .PFX file. This step works if you export the certificate using Certificate Manager (certlm.msc), but not (as far as I can tell) if you export the certificate using IIS Manager. Find your SSL certificate in the Personal/Certificates node, right-click, and select All tasks.../Export. Tell the wizard to export the private key, and include all certificates in the path and all extended properties.

Step 2: Upload the certificates to the Azure Web Role

Upload the pfx file that you created in the previous step to the Certificates in your Azure Web Role. This will add your SSL certificate and all of the intermediate certificates up to the root CA to your Azure web role.

Step 3: Add the certificates to your Web Role project

This step is loosely derived from this article.

  1. In Visual Studio, navigate to your Web Role (Solution/Azure project/Roles/Your web role), right-click, and select Properties
  2. In the Properties window, select Certificates

Now, you need to manually add a new certificate (actually, you are just adding a new certificate thumbprint) for each intermediate certificate. You can either copy-and-paste the thumbprints from the Azure Portal "Certificates" web page, or (with a little extra work) you can get them directly from the local Windows certificate store.

If you want to get the thumbprints using the built-in "read the certificate from my computer" magic in Visual Studio, you need to first:

  1. Open the Windows Certificate Manager (certlm.msc)
  2. Import the pfx file containing your intermediate certificates into the Personal/Certificates node

Meanwhile, back in Visual Studio, for each intermediate certificate:

  1. Click "Add certificate", then
  2. Enter a meaningful name for the intermediate certificate (the name is for your reference only; it's not used for anything)
  3. Set the Store Name to CA.
  4. Enter the certificate Thumbprint. You can copy-and-paste it from the Web Role/Certificates page in the Azure portal, or, if you've imported the certificates into your personal certificate store (as described above) you can get it by clicking the ellipses in the Thumbprint box and selecting the certificate.

Step 4: Publish and test

Whew. So, now you've converted the p7b and crt files to a pfx file that contains your SSL certificate plus the GoDaddy certificates. You've uploaded the certificates to Azure, and you've added them to your Visual Studio project.

Publish your new project to Azure. You can test your website's SSL using either of these online tools:

https://www.sslshopper.com/ssl-checker.html
https://www.digicert.com/help