Better Management Certificates for Azure

As I wrote earlier this week, the Silverlight-based Management Portal may be the best feature of Azure’s 1.3 release.  It is a handsome UI, Azure components are far easier to access, and (most importantly) the amount of time required for common tasks is sharply reduced.

This post is only partly about the Management Portal, however.  The certificate generating code in the Azure Tools for VS 2010 is also involved.

The Problem

Although it’s nice to be able to create the necessary management certificate from within Visual Studio, the resulting certificate naming is confusing.  The following dialog shows an existing certificate and the selection for creating a new certificate.

AzVSTools - Certificate Selection

When this tool creates a certificate, it sets the Friendly Name you entered and sets Issued By to Windows Azure Tools.  No big deal, right?  Right – until you add the certificate via the Azure Portal….

Azure Mgmt - Mgmt Certs with Comments

This view of the portal shows the Management Certificates, but you can’t really tell which is which.  For example, which of the two certificates corresponds to the one with Friendly Name: Deployment Credentials in the Azure Tools dialog?  You really can’t tell unless you are able to distinguish them by their thumbprints or validity dates.  Why doesn’t Deployment Credentials  appear in one of the fields?  Well, let’s take a quick look at the certificate in Certificate Manager (certmgr.msc).

CertMgr - Personal Certs - Windows Azure Tools-Deployment Credentials

When Azure Tools created the certificate, it set Windows Azure Tools in the Issued To and Issued By fields.  The name I provided the tool appears in the Friendly Name field.  I’m glad that I can distinguish the certificate in my local store with the friendly name, but it’s only known in my local store.  That’s the problem: Friendly Name is not part of the certificate; it’s metadata associated with the certificate, and only locally.

What’s A Better Way?

Instead of using the Azure Tools to create a certificate, use the MakeCert tool.  Azure only accepts certain certificates (X.509, 2k-bits, SHA1, etc.), so you have to provide a few specific parameters.  Here’s a sample command line:

makecert -sky exchange -r -n “CN=<CertName>” -pe –a sha1 -len 2048 -ss My “<CertFileName>”

where CertName specifies the name you want to appear in Name field in Management Certificates of the management portal, and CertFileName specifies where to store the certificate file on your local drive.

Now, when you upload the certificate to the management portal, you can easily distinguish the certificates.

Azure Mgmt - Mgmt Certs - Better Names2

Then, when you Publish from Visual Studio, simply choose the appropriate certificate from the list.

AzVSTools - Certificate Selection2

Admittedly, the Friendly Name isn’t set, but you have no trouble distinguishing between certificates in either Visual Studio or Azure’s Management Portal.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.