locked
Can't use (self-signed wildcard) SSL Certificate in Windows Azure Website (WAWS) RRS feed

  • Question

  • I want to secure an azure website with a custom domain via SSL.
    The website is in the "Standard" Tier, as required.

    I've been able to upload my self-signed wildcard certificate, but when I want to bind it to the custom domain name, it is not appearing in the "choose a certificate" dropdown.

    Does anybody know why this is?

    EDIT

    For completeness sake, here's how I generated the self-signed certificate:
     
     1. Generate a root-certificate
    makecert -pe -n "CN=Mydomain Root" -ss my -a sha1 -sky exchange -r -len 2048 root.mydomain.com.cer
     2. I imported the root-certificate (right-click -> Install Certificate) after which it ended up in the "Personal" certificate store
     3. Generate a wildcard certificate from the root certificate:
        makecert -pe -n "CN=*.mydomain.com" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -is my -in "Mydomain Root" -sp"Microsoft RSA SChannel Cryptographic Provider" -sy 12 -ss Personal wildcard.mydomain.com.cer
     4. I exported the pfx file of this wildcard certificate with these settings: http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-01-13-25/3482.WAWS4.png
     5. I uploaded the exported pfx to azure and tried to bind that to my website's custom domain name
    Friday, April 25, 2014 2:20 PM

Answers

  • Hi Lorenzo,

    Please kindly read below document.

    #http://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/

    Here is a snippet.

    Wildcard certificates are certificates where the CN of the certificate contains a wildcard '*' at the subdomain level. This allows the certificate to match a single level of subdomains for a given domain. For example, a wildcard certificate for *.contoso.com would be valid for www.contoso.com, payment.contoso.com, and login.contoso.com. It would not be valid for test.login.contoso.com, as this adds an extra subdomain level. It would also not be valid for contoso.com, as this is the root domain level and not a subdomain.

    Please have a look at the underline sentences.

    Best Regards

    Jambor


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, May 5, 2014 7:33 AM
  • Hi,

    The only time I have seen this happen is when the Subject Name of the certificate doesn't match the custom domain mapped to the web site.

    Can you try to create a certificate like www.yourdomainname.com, upload and configure it?

    Would like to know if the issue is with the wildcard or with the certificate.

    I have done the same successfully, I.e. using MAKECERT to create a certificate and then upload and configure it on MAWS, but not with a wildcard, only with a www one.

    HTH, Benjamin

    Friday, April 25, 2014 3:32 PM

All replies

  • Hi,

    The only time I have seen this happen is when the Subject Name of the certificate doesn't match the custom domain mapped to the web site.

    Can you try to create a certificate like www.yourdomainname.com, upload and configure it?

    Would like to know if the issue is with the wildcard or with the certificate.

    I have done the same successfully, I.e. using MAKECERT to create a certificate and then upload and configure it on MAWS, but not with a wildcard, only with a www one.

    HTH, Benjamin

    Friday, April 25, 2014 3:32 PM
  • Hi Benjamin,

    Thanks for your quick answer and sorry for my late reply.

    I've tried what you suggested and it does work!

    One thing that I forgot in my initial post, but which might be important is that the domain name is actually not in the "usual" format of "server.mydomain.com", but rather "web.dev.projectname.mydomain.com"

    So maybe the azure console does not recognize the wildcard certificate as a valid option because of the multiple prefixes to mydomain.com ?

    Regards,

    Lorenzo

    Tuesday, April 29, 2014 10:19 AM
  • Hi @Jambor yao - MSFT

    Great that you can confirm that this seems to be the problem,

    but is there also a solution?

    Regards,

    Lorenzo

    Tuesday, April 29, 2014 11:21 AM
  • Hi Lorenzo,

    Sorry for my misunderstand, It's my mistake.

    I tried to create a certificate like  *.yourdomainname.com, upload it to azure website, this certificate appeared to  the choose a certificate dropdown list, as the following screenshot.

    Please try it, If I misunderstand, or this post didn't give you any help, please feel free to let me know. I will try to involve someone familiar with this topic to further look at this issue.

    Best Regards

    Jambor


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, April 30, 2014 2:03 PM
  • Hi Jambor,

    Thanks for your reply. If I do the same as in your screenshot, it works,

    but try giving your site a domain name with multiple parts before the "32sven.com" part.

    for example: www.multipart.domain.name.32sven.com then the *.32sven.com wildcard certificate will not appear in the dropdown list.

    Regards,

    Lorenzo

    Wednesday, April 30, 2014 2:07 PM
  • Hi Lorenzo,

    Please kindly read below document.

    #http://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/

    Here is a snippet.

    Wildcard certificates are certificates where the CN of the certificate contains a wildcard '*' at the subdomain level. This allows the certificate to match a single level of subdomains for a given domain. For example, a wildcard certificate for *.contoso.com would be valid for www.contoso.com, payment.contoso.com, and login.contoso.com. It would not be valid for test.login.contoso.com, as this adds an extra subdomain level. It would also not be valid for contoso.com, as this is the root domain level and not a subdomain.

    Please have a look at the underline sentences.

    Best Regards

    Jambor


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, May 5, 2014 7:33 AM
  • Thank you Jambor,

    This indeed explains my problem. I hadn't seen that in the docs

    Regards,

    Lorenzo

    Monday, May 5, 2014 7:55 AM