Remove From My Forums

Azure Worker Role Service Definition Certificate issue "Installing a certificate to the LocalMachine/Root store is not supported"

Question
0

Sign in to vote

Hi,

I have a couple of certificates that I need to add to the worker role which have to get installed in the Cloud service's Root Certification store upon deployment.

I added the following lines in the service definition of my worker role

<Certificate name="Internal Root" storeLocation="LocalMachine" storeName="Root" />
<Certificate name="SSL Corp CA" storeLocation="LocalMachine" storeName="Root" />

Upon building the Worker Role project, I get the following error

Installing a certificate to the LocalMachine/Root store is not supported

Any thoughts on why this could be happening ?

Friday, June 5, 2015 7:15 PM

Answers

1

Sign in to vote
Hi,

   Microsoft by default does not allow direct import to the trusted root store. Even if you give the Storename as "CA" , the cert will be downloaded only to the intermediate cert store. You will have to write a startup task with elevated permissions to move the cert to root store. However, you need to do this only if your SSl cert is issued by a provider who is not included in the Microsoft root certificate program . If a provider is part of the root certificate program, the root certificate corresponding to your SSL certificate will automatically be downloaded to your Azure instance when you deploy it.
   refer: http://thetechnologychronicle.blogspot.in/2013/11/ssl-cert-considerations-in-windows-azure.html

Regards,
Nithin Rathnakar
- Marked as answer by akay tad Thursday, June 11, 2015 6:41 AM
Tuesday, June 9, 2015 3:21 AM
0

Sign in to vote
Hi,

You can install a Certificate to the Trusted Root Certificate Store using a Startup Task.
Refer the Following Threads and Links that Show how to do it.
https://social.msdn.microsoft.com/Forums/en-US/b5db1118-0185-4dc7-a6d7-d62ce4cc9e27/azure-cloud-service-install-certificate-in-trusted-root?forum=windowsazuredevelopment
https://social.msdn.microsoft.com/Forums/azure/en-US/96926ae6-0cbf-4d00-9dd4-bbe86f93737e/add-certificate-file-to-trusted-root-ca-using-startup-task?forum=windowsazuredevelopment

Also have a look at this, its an old one, but for your reference.
https://rupertmaier.wordpress.com/2014/09/12/deploying-a-certificate-into-the-trusted-root-store-in-windows-azure-cloud-services/

Regards,
Nithin Rathnakar
- Proposed as answer by Nithin.Rathnakar Monday, June 8, 2015 4:45 AM
- Marked as answer by Nithin.Rathnakar Thursday, June 11, 2015 3:07 AM
Saturday, June 6, 2015 2:38 AM

All replies

0

Sign in to vote
Hi,

You can install a Certificate to the Trusted Root Certificate Store using a Startup Task.
Refer the Following Threads and Links that Show how to do it.
https://social.msdn.microsoft.com/Forums/en-US/b5db1118-0185-4dc7-a6d7-d62ce4cc9e27/azure-cloud-service-install-certificate-in-trusted-root?forum=windowsazuredevelopment
https://social.msdn.microsoft.com/Forums/azure/en-US/96926ae6-0cbf-4d00-9dd4-bbe86f93737e/add-certificate-file-to-trusted-root-ca-using-startup-task?forum=windowsazuredevelopment

Also have a look at this, its an old one, but for your reference.
https://rupertmaier.wordpress.com/2014/09/12/deploying-a-certificate-into-the-trusted-root-store-in-windows-azure-cloud-services/

Regards,
Nithin Rathnakar
- Proposed as answer by Nithin.Rathnakar Monday, June 8, 2015 4:45 AM
- Marked as answer by Nithin.Rathnakar Thursday, June 11, 2015 3:07 AM
Saturday, June 6, 2015 2:38 AM
0

Sign in to vote

Thanks for the info Nithin

Currently I have been using the Startup task as a work around and previously have also gone through the last link you have posted but I really would like to know why doing it from the Service Definition doesn't work even after having a provision to do so.

Monday, June 8, 2015 7:14 AM
1

Sign in to vote
Hi,

   Microsoft by default does not allow direct import to the trusted root store. Even if you give the Storename as "CA" , the cert will be downloaded only to the intermediate cert store. You will have to write a startup task with elevated permissions to move the cert to root store. However, you need to do this only if your SSl cert is issued by a provider who is not included in the Microsoft root certificate program . If a provider is part of the root certificate program, the root certificate corresponding to your SSL certificate will automatically be downloaded to your Azure instance when you deploy it.
   refer: http://thetechnologychronicle.blogspot.in/2013/11/ssl-cert-considerations-in-windows-azure.html

Regards,
Nithin Rathnakar
- Marked as answer by akay tad Thursday, June 11, 2015 6:41 AM
Tuesday, June 9, 2015 3:21 AM

Answered by:

Azure Worker Role Service Definition Certificate issue "Installing a certificate to the LocalMachine/Root store is not supported"

Question

Answers

All replies