Azure can be a bit perplexing at times – especially for those of us that are not developers.
This is where we all look at the VM Role as a way to get services running in Azure that have really complex set-ups.
At the same time, we can use Azure features to do part of the work for us.
Let me take the following scenario: You have an application, this application requires specific IIS Role features, then some long application install, and last of all it has an involved set-up. The scripting is all worked out, but it takes a really long time and there are a couple settings that have to be manually applied.
Your goal; automate as much as absolutely possible.
In Azure, you can add an SSL certificate to your Service – the Azure Service Certificate.
You can then configure Azure to automatically inject this certificate (public + private key) into your VM after it completes mini-setup in the Azure cloud.
Great! I can use a certificate in my VM Role and the private key is not broken by the fact that I had to generalize the image with sysprep. Now what? I need to actually use this certificate.
I have two methods that I have worked out to add this certificate to the IIS default web site.
First of all – I created a self-signed certificate but I named it using my Azure Service DNS. So the URL for my site is HTTP://MyService.CloudApp.Net
(Don’t get all funny, you cannot purchase a cloudapp.net SSL certificate as this is Microsoft’s domain – you have to get your own domain, get your certificate and forward the DNS to your Azure Service URL).
Both of these methods I run within a PowerShell script – the different is how I achieve the results.
The common part before either method runs:
I had told Azure to put my certificate in the Local Machine\Personal store in the definition file:
After the VM exits mini-setup and my script runs I need to go find my certificate:
# Get all of the installed Local Computer certificates that can be used
# With Azure this is a Service Certificate that is defined in the configuration for this Role.
$allCerts = Get-ChildItem cert:\localmachine\my
# Find the Certificate that is defined for the domain name
foreach ($cert in $allCerts) {
if ($cert.SubjectName.Name -match "CloudApp.Net") {
$cloudCert = $cert
}
}
Now, I have the certificate, let’s create the binding in IIS
Method 1 – the netsh way using apphost (Server 2008):
## Older Method to achieve the same thing.
$certThumb = $cloudCert.Thumbprint
## Generate a GUID for the SSL binding
$sslGuid = "{" + ([System.Guid]::NewGuid().toString()) + "}"
## Import the SSL certificate
netsh http add sslcert ipport=0.0.0.0:443 certhash=$certThumb appid=$sslGuid
## Create the SSL binding on port 443 for the Default Web Site
& "$env:windir\system32\inetsrv\appcmd.exe" set config -section:system.applicationHost/sites /+"[name='Default Web Site'].bindings.[protocol='https',bindingInformation='*:443:']" /commit:apphost
Method 2 – the PowerShell IIS module way (Server 2008 R2):
Import-Module WebAdministration
New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https
$certObj = Get-Item $cloudCert.PSPath
New-Item IIS:SslBindings\0.0.0.0!443 -value $certObj
# Remove the HTTP binding
Remove-WebBinding -Name “Default Web Site” -BindingInformation *:80:
The new PowerShell 2.0 WebAdministration module way is much easier to deal with – but, it is PowerShell v2 – that is Server 2008 R2 and newer only.
2 comments:
Thanks this really helped me!
Thanks, Its really help full.
Post a Comment