Management Certificates and Powershell deployment to Windows Azure

with No Comments

Management Certificates and Powershell deployment to Windows Azure

When deploying to Azure, certificates are required as opposed to the username/password combination. In order to understand the process you would need to know a little about encryption and certificates.
When encryptinng data there are 2 main mechanisms that you could use, namely;

Symmetric Encryption

In this form of encryption both parties have the “secret” key.  This comes from very ancient times, and works on the principle that the password is your “secret” key.

Asymmetric Encryption

In this form of encryption you have both a private and a public key.  How this works is, when exchanging secure data you would share your public key with the relevant party who is then able to encrypt what they want to send you, once the encrypted data is sent back to you, you are now able to decrypt it based on the fact that you have the private key. 
Whilst these 2 keys are linked mathematically the private key cannot be generated from the public key (well when I say you can’t, it is possible, but not probable)
How these key pairs are stored is within certificates.  A certificate can contain a public key, or a public key and a private key as a pair.  If you have a certificate with a private key, it generally denotes that it is a sensitive resource.
 
These are the steps that we have followed to get the PowerShell Azure scripts working.

1.  Create a certificate with the MakeCert command. Make use of your visual studio command line which can be done on a development machine by using ‘Run’ under the Administrator permissions.

makecert -r -pe -n “CN=AzureMgmt” -a sha1 -len 2048 -ss My “AzureMgmt.cer”
 

2.  Open up certificate manager (there are several ways however I found the following command just typed in the start/run box the easiest).

Certmgr.msc
 
3.  You should see something similar to that shown below.
     Things to note:
     i.      You will notice the top certificate does not have a tiny little key in the top right hand corner
               (denotes only a public key certificate).
     ii.      The key that you generated should have a little key on it.
Screen shot of how your certificate screen could look like
Certificate Screen

4.  Now you need to export your certificate’s public key, so that you can upload it to Azure. Do this by right clicking your certificate with the private key and click all tasks / export. Then select the option to export the certificate without the private key, it will export the certificate to your machine, with a .cer file

5.  Upload this to Azure (Please see section on Azure certificates). Select the settings tab, on the subscription level (so as not to be in Cloud Services)
Azure Certificate upload screen
Azure Certificate upload screen
By following these steps you should now be able to run the Powershell.
 

Azure Certificates

There are 2 types of certificates in Azure namely; management certificates that only contain the public key, as well as end point certificates for securing end points (like https on your site) these contain private keys. 
 
Blogs and articles that I discovered in this interesting and lesser traveled road:

Leave a Reply