8

Background: I need to test an https endpoint for a WebRole on Windows Azure. For that I need to upload a self-signed certificate, add the certificate's thumbprint to the WebRole's configuration and finally associate the endpoint with that configured certificate.

I created a self-signed certificate using makecert.exe, which is available through the Visual Studio Command Prompt. I used the following command:

makecert.exe -r -pe -n "CN=test.cloudapp.net" -sky exchange -ss my -len 2048 test.pfx

The command succeeds and I can upload the certificate file to the Windows Azure hosted service. But deployment of the WebRole fails with the following error:

Certificate with thumbprint 6AB... associated with HTTPS input endpoint Endpoint2 does not contain private key.

I have to export the certificate from the my store, and choose to include the private key and provide a password. If I upload this exported certificate file and use its thumbprint, then deployment succeeds.

I want to create a certificate file that includes the private key, without first saving the certificate to any store and exporting it from the store. Is that possible using makecert.exe?

Michiel van Oosterhout
  • 22,839
  • 15
  • 90
  • 132

1 Answers1

15

To create a certificate without saving it to any store you'll need to use pvk2pfx.exe (available through the Visual Studio Command Prompt).

It works like this:

makecert.exe -sv CertKey.pvk -n "CN=My Azure Certificate" CertKey.cer
pvk2pfx.exe -pvk CertKey.pvk -spc CertKey.cer -pfx MyPFX.pfx -po yourPasswordHere

Running makecert.exe will aks you for a password for the private key. You'll need to enter that password for the -po argument of the pvk2pfx.exe command.

Finally you'll have a pfx file (containing private key) named MyPFX.pfx

Sandrino Di Mattia
  • 24,739
  • 2
  • 60
  • 65
  • 1
    I was having some problems getting Azure to accept the PFX file generated by pvk2pfx. A solution was to import the certificate to Windows certificate store and then export from there. – Juha Palomäki Mar 13 '13 at 21:04
  • 1
    In case anyone was wondering, once you've done this you can find the certificate's thumbprint on Azure management console. – Rob Church Apr 23 '13 at 09:50
  • @RobChurch or by double clicking on the .cer file. – ahmet alp balkan Oct 09 '14 at 09:36
  • 1
    Seems you MUST use the -po option with the pvk2pfx to get things to work with Azure. The docs say if there is no -po it uses the one in the .pvk but I could never get Azure to take the .pfx until I explictly used the -po option – Mikee May 22 '15 at 18:58
  • When using a certificate created this way i get the message " SignTool Error: The signer's certificate is not valid for signing." did i do something wrong? – A.bakker Mar 28 '23 at 08:19