Welcome to EMC Consulting Blogs Sign in | Join | Help

Random Ramblings of a Platform Architect

Creating and using Self Signed Certificates for use with Azure Service Management API


To successfully use the service management API which is needed to able to manage   Azure applications  via Cloud Storage Studio ,  csmanage or the Powershell  mgt tools you will need a self signed certificate and will need both the .pfx and the .cer  forms for reliable behavior.

pfx, - This is a PKCS #12 container files, DER encoded. They
contain not only certificates, but also private keys in encrypted form.


cer - this is an X.509 certificate in binary form, DER encoded.


The safest way to create the certificate is via the makecert tool which is part of the windows SDK:

The command to create a usable certificate is of the form:


"c:\Program Files\Microsoft SDKs\Windows\v6.0A\bin\makecert" -r -pe -a sha1 -n "CN=Windows Azure Authentication Certificate" -ss My -len 2048 -sp "Microsoft Enhanced RSA and AES Cryptographic Provider" -sy 24 GMTestcert01.cer

Make sure you know what folder you ran this from

This will create a certificate that is stored in your personal store




The Azure portal requires a CER which must be uploaded



So you will need to import the .cer created via the makecert tool earlier.

At this stage you and you alone can connect to your hosted services using any of the tools that make use of the service management API.


To use the Powershell Mgt cmdlets  for example to stop a currently running deployment in staging, and to deploy a new one you will need the Thumbprint of the certificate with the spaces removed. Highlighted in yellow in the example script shown



Example Powershell script to deploy to Staging:


#Set-ExecutionPolicy Unrestricted

#Add-PSSnapin AzureManagementToolsSnapIn

Get-HostedServices -subscriptionId xxxxx-yyyy-gggg-aaaa-55581  -certificate (get-item cert:\CurrentUser\MY\1299D9E16451533CFB8CB6940635ED803AFBB8E2) | where {$_.ServiceName -eq "DEMO"} | Get-Deployment staging

Set-DeploymentStatus -subscriptionId xxxxx-yyyy-gggg-aaaa-55581  -certificate (get-item cert:\CurrentUser\MY\1299D9E16451533CFB8CB6940635ED803AFBB8E2) -ServiceName app1 -slot staging  -status suspended

Set-Deployment -subscriptionId xxxxx-yyyy-gggg-aaaa-55581  -certificate (get-item cert:\CurrentUser\MY\1299D9E16451533CFB8CB6940635ED803AFBB8E2) -ServiceName app1 -slot staging -package https://DEMO.blob.core.windows.net/configuration/SimpleTableSample.cspkg  -configuration D:\Projects\TestProjects\SimpleTableSample\bin\Release\Publish\ServiceConfiguration.cscfg  -label pwshellDeploy1

#Set-Deployment -subscriptionId xxxxx-yyyy-gggg-aaaa-55581  -certificate (get-item cert:\CurrentUser\MY\1299D9E16451533CFB8CB6940635ED803AFBB8E2) -ServiceName app1 -slot staging -package https://DEMO.blob.core.windows.net/configuration/SimpleTableSample.cspkg -configuration https://DEMO.blob.core.windows.net/configuration/ServiceConfiguration.cscfg -label pwshellDeploy1


Set-DeploymentStatus -subscriptionId xxxxx-yyyy-gggg-aaaa-55581  -certificate (get-item cert:\CurrentUser\MY\1299D9E16451533CFB8CB6940635ED803AFBB8E2) -ServiceName app1 -slot staging  -status running



For team development all the team need to either use their own certificate which is then uploaded onto Azure or to use the certificate you have generated.

For the team to use the certificate you generated you  need to supply them with copies of the certificate in both forms . The .cer has already been created in the folder where you ran the makecert command earlier

To create the pfx you need to export it from your personal store. When exporting to create the .pfx make sure the private key is exported.


 Keep the defaults


Ensure you remember the password as you will need to inform the team what this is as they will need it when they import it into their local store.


You can also export the cer  via this tool if you wanted to . To create the .cer do NOT export the private key


Keep the Defaults


Ideally the team members should use the certmgr tool to import the .pfx  locally on their machines they will be prompted for the password . If they do not have this then they will need to point to the .cer locally .

Below is a screenshot from  Cloud Storage Studio whch points to the local  certificate store



NOTE it has been noticeably more stable using the personal certificate store than just using a .cer stored on the local disk

If the certificate appears to expire it is suggested that the team member imports the .pfx  certificate into their local certificate store.










Published Friday, February 19, 2010 10:25 PM by Grace.Mollison


No Comments
Anonymous comments are disabled

About Grace.Mollison

Platform Architect .
Powered by Community Server (Personal Edition), by Telligent Systems