Handling certificates for Azure management API calls
Azure exposes a few REST based WCF services (Azure management API) using which one can use and do a lot of task programmatically as is provided in the Azure portal like:
1. Managing deployment (create, delete, upgrade, swapping, etc)
2. Managing the hosted service (start , stop, and other configuration change, etc)
3. Listing hosted and storage services
4. Fetching hosted application/service details, etc
For getting a detailed list of possible operations, please follow this MSDN link.
All these call are over https and each call needs to have a certificate (.cer) attached as part of the web request. There are a few requirements which need to be met so that this certificate based call can be made successfully:
1. Upload the certificate having the public key (.cer) to the subscription to which these calls are to be made. For each Azure account, one subscription (ID) is assigned. This subscription is analogy to the space where we are intended to do the tasks like deploying an application/service, fetching the details of an already hosted service/application, etc
2. This certificate is also required to be installed (with private key) in the machine from where these API calls are originating. This specific requirement is very to achieve when the calls are made from a local machine say using a windows based application. But a little involved when the application (web application/service) raising the calls is deployed in a virtual machine in the cloud to which we have very little access.
To achieve the above mentioned second requirement we had a tough time, so thought worthy to present it through this blog. To achieve the same we have to follow the following listed activities. Let us assume that we have a requirement to make this API calls from a web application called CallAPI_WebRole which is to be deployed in Azure cloud:
1. Through the Azure portal go to the hosted service representing the VM for the CallAPI_WebRole application and upload the certificate (.pfx) giving the password
a. This will not install the certificate in the certificate store of the VM. Certificate is just kept in one collection to be used for installation later.2. In Visual studio (VS), go to the properties of the CallAPI_WebRole webrole under the ccproj and select the certificates tab. Then select the concerned certificate (as shown in the below picture) from the development machine’s certificate store (earlier by default it was currentuser/my but now fixed in VS 2010 to look into localmachine/my) and then give the Store location (LocalMachine or CurrentUser) and store name (my, root, CA or trust). This selection of the store location and store name will tell the Azure cloud where to install the certificate (those thumbprint is shown in the picture below) in the VM where this concerned application package is to be deployed.
a. When the package is deployed and started giving the mentioned certificate information, Azure will look into the collection mentioned in 1a (above) and try to find the certificate with the given thumbprint and installs it in the store location/ store name mentioned.
b. With the deployment package (cspkg) the certificate is not sent, only the information of the certificate to be installed are sent
I hope that, this piece of information will be quite helpful in similar scenario of using Azure management API.
