Updated: August 23, 2014
Microsoft Azure uses certificates in three ways:
- Management certificates – Stored at the subscription level, these certificates are used to enable the use of the SDK tools, the Windows Azure Tools for Microsoft Visual Studio, or the Windows Azure Service Management REST API. These certificates are independent of any cloud service or deployment.
Service certificates – Stored at the cloud service level, these certificates are used by your deployed services.
SSH Keys – Stored on the Linux virtual machine, SSH keys are used to authenticate remote connections to the virtual machine.
To use a certificate in Azure, it must be uploaded to Azure. Management and service certificates can be uploaded through the Microsoft Azure Management Portal. Service certificates can also be uploaded to Management Portal using Add Certificate in the Windows Azure Service Management REST API .
Certificates used in Azure are x.509 v3 certificates and can be signed by another trusted certificate or they can be self-signed. A self-signed certificate is signed by its own creator. Because of this, the certificate is not trusted by web browsers and will cause a security alert in Internet Explorer. Users can continue, but have to bypass a security message.
Self-signed certificates are typically used in test scenarios, or when they are used as a container for public/private keys.
Certificates used by Azure can contain a private or a public key. Certificates have a thumbprint that provides a means to identify them in an unambiguous way. This thumbprint is used in the Azure configuration file to identify which certificate a
cloud service should use. For more information on configuring certificates in the configuration file, see Set Up a Cloud Service for Azure .
Azure uses certificates to identify a trust relationship: the party to be trusted has the private key.
- Management certificates (.cer certificate files): the client connecting the service needs to be trusted and has the private key.
Service certificates (.pfx certificate files): the service needs to be trusted by the client connecting to the service. For example, in an SSL secured service scenario the SSL certificate contains the private key.
Management certificates permit client access to resources in your Azure subscription. Management certificates are x.509 v3 certificates that only contain a public key, and are saved as a .cer file.
Common uses of management certificates
- Requests made using the Windows Azure Service Management REST API require authentication against a certificate that you provide to Azure; see Authenticating Service Management Requests for details. You must upload a management certificate to Azure using the Management Portal.
Windows Azure Tools for Microsoft Visual Studio use management certificates to authenticate a user to create and manage your deployments. For more information on using the Visual Studio tools to deploy applications, see Deploy the Windows Azure Application from Visual Studio .
The same certificate can be used on more than one computer to manage an Azure subscription. In order to move a management certificate from one computer to another development computer, it must be exported in the form of a PFX file and then reimported on other development computer.