none
How to generate *.publishSettings file from *existing* Management Certificate? RRS feed

  • Question

  • The Management Certificate is required to connect to your Windows Azure subscription.

    If you Publish your Azure project from within Visual Studio you can Import a *.publishSettings file.
    This file can easily be downloaded using the link "Sign in to download credentials" in the Publish Windows Azure Application dialog box.

    The problem is that every time you download this file for each Subscription a new Management Certificate is created.
    I would like to upload my own *.cer file and have only one Management Certificate per Subscription.

    How can I create a new *.publishSettings file based on the Management Certificate that is already present in the Subscription? (uploaded by myself instead of generated)


    Best Regards, Simon de Kraa.

    Thursday, September 13, 2012 12:48 PM

Answers

  • Since publish settings file is an XML file, one possible solution would be to parse this XML file and remove unwanted subscriptions from that XML file. In the end you'll have just one subscription in that file.

    Another solution would be a bit more convoluted and would require you to read the certificate (with private key) from your certificate store. Then you could write a program which create an XML file on its own which mimics the structure of a publish setting file. I wrote a simple console application which does exactly that:

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Text;
    using System.Xml;
    using System.Security.Cryptography.X509Certificates;
    using System.IO;
    
    namespace CreatePublishSettingsFile
    {
        class Program
        {
            private static string subscriptionId = "[your subscription id]";
            private static string subscriptionName = "My Awesome Subscription";
            private static string certificateThumbprint = "[certificate thumbprint. the certificate must have private key]";
            private static StoreLocation certificateStoreLocation = StoreLocation.CurrentUser;
            private static StoreName certificateStoreName = StoreName.My;
            private static string publishFileFormat = @"<?xml version=""1.0"" encoding=""utf-8""?>
    <PublishData>
      <PublishProfile
        PublishMethod=""AzureServiceManagementAPI""
        Url=""https://management.core.windows.net/""
        ManagementCertificate=""{0}"">
        <Subscription
          Id=""{1}""
          Name=""{2}"" />
      </PublishProfile>
    </PublishData>";
    
            static void Main(string[] args)
            {
                X509Store certificateStore = new X509Store(certificateStoreName, certificateStoreLocation);
                certificateStore.Open(OpenFlags.ReadOnly);
                X509Certificate2Collection certificates = certificateStore.Certificates;
                var matchingCertificates = certificates.Find(X509FindType.FindByThumbprint, certificateThumbprint, false);
                if (matchingCertificates.Count == 0)
                {
                    Console.WriteLine("No matching certificate found. Please ensure that proper values are specified for Certificate Store Name, Location and Thumbprint");
                }
                else
                {
                    var certificate = matchingCertificates[0];
                    certificateData = Convert.ToBase64String(certificate.Export(X509ContentType.Pkcs12, string.Empty));
                    if (string.IsNullOrWhiteSpace(subscriptionName))
                    {
                        subscriptionName = subscriptionId;
                    }
                    string publishSettingsFileData = string.Format(publishFileFormat, certificateData, subscriptionId, subscriptionName);
                    string fileName = Path.GetTempPath() + subscriptionId + ".publishsettings";
                    File.WriteAllBytes(fileName, Encoding.UTF8.GetBytes(publishSettingsFileData));
                    Console.WriteLine("Publish settings file written successfully at: " + fileName);
                }
                Console.WriteLine("Press any key to terminate the program.");
                Console.ReadLine();
            }
        }
    }
    

    Hope this helps.

    Thursday, September 13, 2012 3:18 PM

All replies

  • Hi Simon,

    I think is a nice one for http://www.mygreatwindowsazureidea.com/forums/34192-windows-azure-feature-voting

    In Vittorio Bertocci's book on Windows Identity Foundation, he describes how you can create a .PFX file without a password. I think, the question is "Will Microsoft provide this functionality to us?".


    With regards,

    Patriek

    onwindowsazure.com


    If this reply is of help to you, please don't forget to mark it as an answer.

    Thursday, September 13, 2012 1:30 PM
  • Since publish settings file is an XML file, one possible solution would be to parse this XML file and remove unwanted subscriptions from that XML file. In the end you'll have just one subscription in that file.

    Another solution would be a bit more convoluted and would require you to read the certificate (with private key) from your certificate store. Then you could write a program which create an XML file on its own which mimics the structure of a publish setting file. I wrote a simple console application which does exactly that:

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Text;
    using System.Xml;
    using System.Security.Cryptography.X509Certificates;
    using System.IO;
    
    namespace CreatePublishSettingsFile
    {
        class Program
        {
            private static string subscriptionId = "[your subscription id]";
            private static string subscriptionName = "My Awesome Subscription";
            private static string certificateThumbprint = "[certificate thumbprint. the certificate must have private key]";
            private static StoreLocation certificateStoreLocation = StoreLocation.CurrentUser;
            private static StoreName certificateStoreName = StoreName.My;
            private static string publishFileFormat = @"<?xml version=""1.0"" encoding=""utf-8""?>
    <PublishData>
      <PublishProfile
        PublishMethod=""AzureServiceManagementAPI""
        Url=""https://management.core.windows.net/""
        ManagementCertificate=""{0}"">
        <Subscription
          Id=""{1}""
          Name=""{2}"" />
      </PublishProfile>
    </PublishData>";
    
            static void Main(string[] args)
            {
                X509Store certificateStore = new X509Store(certificateStoreName, certificateStoreLocation);
                certificateStore.Open(OpenFlags.ReadOnly);
                X509Certificate2Collection certificates = certificateStore.Certificates;
                var matchingCertificates = certificates.Find(X509FindType.FindByThumbprint, certificateThumbprint, false);
                if (matchingCertificates.Count == 0)
                {
                    Console.WriteLine("No matching certificate found. Please ensure that proper values are specified for Certificate Store Name, Location and Thumbprint");
                }
                else
                {
                    var certificate = matchingCertificates[0];
                    certificateData = Convert.ToBase64String(certificate.Export(X509ContentType.Pkcs12, string.Empty));
                    if (string.IsNullOrWhiteSpace(subscriptionName))
                    {
                        subscriptionName = subscriptionId;
                    }
                    string publishSettingsFileData = string.Format(publishFileFormat, certificateData, subscriptionId, subscriptionName);
                    string fileName = Path.GetTempPath() + subscriptionId + ".publishsettings";
                    File.WriteAllBytes(fileName, Encoding.UTF8.GetBytes(publishSettingsFileData));
                    Console.WriteLine("Publish settings file written successfully at: " + fileName);
                }
                Console.WriteLine("Press any key to terminate the program.");
                Console.ReadLine();
            }
        }
    }
    

    Hope this helps.

    Thursday, September 13, 2012 3:18 PM
  • Hi,

    You can download publishing settings with the certificate already existing in the account.

    Login to management portal with your credentials

    Then type this link in the browser https://windows.azure.com/download/publishprofile.aspx.

    it would download the profile with existing certificate. You can see the management certificate information in the downloaded file.

    Hope it helps.



    Please mark the replies as Answered if they help and Vote if you found them helpful.

    • Proposed as answer by Veerendra Kumar Thursday, September 13, 2012 5:50 PM
    Thursday, September 13, 2012 5:50 PM
  • Hi,

    You can download publishing settings with the certificate already existing in the account.

    Login to management portal with your credentials

    Then type this link in the browser https://windows.azure.com/download/publishprofile.aspx.

    it would download the profile with existing certificate. You can see the management certificate information in the downloaded file.

    Hope it helps.



    Please mark the replies as Answered if they help and Vote if you found them helpful.


    Unfortunately, this is simply wrong. Whenever you visit the link to download a publish profile file, the site creates a new management certificate and adds it into your management certificates list. Also a maximum of 10 management certificates are allowed per subscription and if you exceed that quota, you will be shown an error. Please try it out yourself by going to the publish profile link posted above and refresh that page 10 times. Also login into the portal and go to settings and see how the certificate list grows.
    Thursday, September 13, 2012 5:59 PM
  • Yes, downloading the settings using the link seems pretty convenient but creates a new certificate every time you download the settings! And if you exceed the max. of 10 certificates --> error.

    Gaurav, I will try your solution. Thanks!

    BTW

    I have my *.cer file also stored locally. Can I also use that file to generate the publish settings? I guess so...?


    Best Regards, Simon de Kraa.

    Thursday, September 13, 2012 6:08 PM
  • Hi Simon,

    The thing is that the certificate should have private key with it which I believe *.cer file does not have (but pfx file does). If you have a pfx file, you could read that and create a new pfx file with empty password. When I tried with a cer file, the console application I built worked fine (i.e. it created the file successfully) and it would import as well however when you try and connect to your subscription, it would give me a 403 error. That led me to believe that we would need to create this file from a certificate which has the private key associated with it.

    Here's what I did:

    1. I already had the certificate with private key in my certificate store (those certificates will have a small "key" in their icons).

    2. I ran the application and it created a file for me.

    3. I then deleted that certificate from my certificate store.

    4. I imported the publish setting file using our Cloud Storage Studio tool.

    5. I tested by fetching the list of hosted services and I was able to get it.

    6. Just to ensure that the solution is indeed working, I logged in into my Windows 8 machine (to ensure that I don't get "It works on my PC :)" and used that file again to import subscription. I was able to explore the list of hosted services.

    From distribution point of view, here's what I would do:

    1. Create a new self signed certificate either using IIS or makecert utility.

    2. Install that certificate into my local computer certificate's store.

    3. Export that certificate from certificate store in cer file format and upload it in Windows Azure portal and associate it with my subscriptions.

    4. Then I would run this utility to create new publish settings file and distribute it (and test it of course before distributing it :)).

    Hope this helps.

    Thursday, September 13, 2012 6:39 PM
  • Yes, you are correct. I think I misunderstood the ask. it crates a new cert everytime when we visit the link. I alrady faced this.


    Please mark the replies as Answered if they help and Vote if you found them helpful.

    Thursday, September 13, 2012 6:40 PM
  • Hi Guarav,

    While this is great and will work for a single subscription, I wonder what will happen when you have multiple subscriptions with separate Management Certificates.

    Will it be possible to have multiple <PublishProfile></...> elements and how will the tooling (like Visual Studio, Cloud Storage Studio or Eclipse) handle this?

    I think there still lies a huge job for Microsoft to implement this :).


    With regards,

    Patriek

    onwindowsazure.com


    If this reply is of help to you, please don't forget to mark it as an answer.

    Friday, September 14, 2012 8:04 AM
  • Hi Patriek,

    I agree. At the end of the day, this profile file is an XML file and it's up to the tooling providers (Cough! Cough! :)) to support this scenario. If Microsoft were to ask me what I want in this, I would say give me a UI where I could pick up my subscriptions and associated certificates. I don't think that's too hard to implement as well.

    What do you think?

    Friday, September 14, 2012 8:11 AM
  • Ah yes, good point.

    I need to loop over my subscription for this to work.

    In our case we can use the same Management Certificate for each subscription. But I can also see that you want to use different Management Certificates for each subscription.

    BTW

    We have an Enterprise agreement so can use the  Enterprise Azure Portal to create the subscriptions ourselves. For each customer we create a new subscription. So for us this is quite dynamic.


    Best Regards, Simon de Kraa.

    Friday, September 14, 2012 8:12 AM
  • We have an Enterprise agreement so can use the  Enterprise Azure Portal to create the subscriptions ourselves. For each customer we create a new subscription. So for us this is quite dynamic.


    Sure, but you'll probably have different development or management teams working for different customers (subscriptions) that you don't want to mix up. I think you'll soon be running into wanting different Management Certificates per customer or even per subscription (if your using different subscriptions for D, T, A and P).

    With regards,

    Patriek

    onwindowsazure.com


    If this reply is of help to you, please don't forget to mark it as an answer.

    Friday, September 14, 2012 8:36 AM
  • Hi Guarav,

    I totally agree. The tooling should then be able to import multiple publishing profiles, though. But that shouldn't be too hard either :).


    With regards,

    Patriek

    onwindowsazure.com


    If this reply is of help to you, please don't forget to mark it as an answer.

    Friday, September 14, 2012 8:38 AM
  • We have an Enterprise agreement so can use the  Enterprise Azure Portal to create the subscriptions ourselves. For each customer we create a new subscription. So for us this is quite dynamic.


    Sure, but you'll probably have different development or management teams working for different customers (subscriptions) that you don't want to mix up. I think you'll soon be running into wanting different Management Certificates per customer or even per subscription (if your using different subscriptions for D, T, A and P).

    With regards,

    Patriek

    onwindowsazure.com


    If this reply is of help to you, please don't forget to mark it as an answer.

    Yes, for now we will use the code from Guarav and generated different Publish Settings files for each subscription based on the certificate that is added to that particular subscription.

    So every subscription will have its own Publish Settings file. And we can have different certificates per subscription.

    Still have to try this, but I hope it will work...


    Best Regards, Simon de Kraa.

    Friday, September 14, 2012 9:47 AM