12

Is there a way I can have multiple ssl certificates point to a single inputendpoint in a service definition? For example, lets say I have two url's.

service.foo.net/Service.svc

service.doo.net/Service.svc

I want both of these addresses to resolve to my windows azure service, but I'm not sure how to configure this in the service definition.

<Certificates>
   <Certificate name="service.foo.net" storeLocation="LocalMachine" storeName="My" />
   <Certificate name="service.doo.net" storeLocation="LocalMachine" storeName="My" />
  </Certificates>
  <Endpoints>
   <InputEndpoint name="HttpsIn" protocol="https" port="443" certificate="service.foo.net" />
  </Endpoints>

According to this MSDN article, each input endpoint must have a unique port. Is there any way to specify more than once certificate for this endpoint?

Brosto
  • 4,445
  • 2
  • 34
  • 51
  • Not yet - I ended up just using one of my certificates. I still would like to know if this is possible. I think it would be a good feature. – Brosto Feb 09 '11 at 19:12

3 Answers3

8

Unfortunately this is not possible. Azure is re-exposing an SSL limitation. The SSL limitation is interesting, and the reason you can't use v-hosts over SSL. Lets walk through an example:

  1. You connect to https://ig2600.blogspot.com
  2. That resolves to some ip address - say 8.8.8.8
  3. Your browser now connects to 8.8.8.8
  4. 8.8.8.8 must preset a certificate before your browser will send any data
  5. the browser verifies the ceritificate presented is for ig2600.blogspot.com
  6. You send the http request, which contains your domain name.

Since the server needs to present a certificate before you tell it the host name you want to talk to, the server can't know which certificate to use if multiple are present, thus you can only have a single cert.

Igor Dvorkin
  • 827
  • 1
  • 8
  • 18
  • Thanks for walking through a request, makes perfect sense, just wish it worked different. We ended up just picking a single site and forcing everyone to switch to that one. I was hoping I would get an answer that would allow this to work, but it looks like it's not possible. Thanks again for the answer. – Brosto Mar 22 '11 at 13:13
5

"Oliver Bock"'s answer may work for you and "Igor Dvorkin"'s answer is not valid anymore since IIS 8 with Windows Server 2012 supports SNI, which enables you to add a "hostheader" to HTTPS bindings and having multiple SSL certificates to different domains listening to the same HTTPS port.

You need to automate the process of installing the certificates on the machine and add HTTPS bindings to IIS.

I'm a Microsoft Technical Evangelist and I have posted a detailed explanation and a sample "plug & play" source-code at: http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/

Vitor Ciaramella
  • 440
  • 3
  • 4
  • This page 404's now. @Vitor - do you have an updated URL? THX! – ScottCate Apr 11 '16 at 15:54
  • 1
    @ScottCate, I was trying to get to the same link and had trouble. Was able to locate it via the wayback machine @ https://web.archive.org/web/20130608051737/http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services – Craig Taylor May 04 '16 at 19:11
4

This post indicates you will need a "multi domain certificate", which seems to be a certificate that can match multiple DNS names in step 5 of Igor's answer. I have not tried it, but presumably this certificate can be uploaded to Azure in the usual way.

Oliver Bock
  • 4,829
  • 5
  • 38
  • 62
  • 1
    Didn't realize something like that existed. I'll look into that. thanks! – Brosto Jun 02 '11 at 15:23
  • Just to be clear, are you talking about a 'wildcard' certificate when you mention 'multi-domain certificate'? (I clicked the link but couldn't access the post). I'd like to get this working with multiple subdomains pointing to the same worker role. – keithl8041 Feb 22 '13 at 00:33
  • 1
    @keithl8041 No - a 'wildcard' certificate only matches subdomains under a single domain (*.yourapp.com). A multi-domain certificate supports up to 100 different Subject Alternative Name records, which can be any domain on the web, but NO wildcards. E.g. you can have www.yourapp.com + beta.yourapp.com + www.otherapp.com. However you cannot have *.yourapp.com + *.otherapp.com – Yoshi Apr 24 '14 at 01:38