Joshua Fennessy

Creating and Configuring Certificates for Azure PowerShell Management

If you’ve worked at all with Microsoft (previously Windows) Azure, you’ll know that the Management Portal can only get you so far. Eventually, you’re going to run into the desire to script tasks, or the need to use PowerShell because the functionality doesn’t yet exist in the Management Portal.

Once you find yourself open the Azure PowerShell command prompt, you’ll first have to configure your session to connect to the Azure Subscription you want to manage. Once you have to do that more than once, you’ll be looking for ways to automate your subscription selection. Fortunately, there is an easy way to do that.

In this post, I’ll show you how to create a certificate, associate it with your subscription, and configure your machine using PowerShell to use that subscription by default. The steps I show here are designed to work in a development environment. Please be sure to review them to ensure that the security settings are compliant with your environment if you wish to do this process in production.

This post will cover, in brief, the following topics:

  • Creating a personal certificate
  • Exporting and uploading the certificate to Azure
  • Configuring Azure PowerShell environment on local machine

Creating a Personal Certificate

The easiest way to create a personal certificate is to use the makecert.exe utility which is installed with Visual Studio. Follow the steps below to create a certificate that is compatible with Windows Azure.

1.) Open a Visual Studio Command Prompt in Administrator Modeimage

2.) Enter the following command. Note that Azure-compatible certificates must have a key length of at least 2048 bits and should be stored in the Personal certificate store. Replace the <CertificateName> placeholder with the name of the desired certificate. For more information on creating and managing certificates compatible with Windows Azure, read this TechNet article (http://msdn.microsoft.com/en-us/library/azure/gg551722.aspx)

makecert -sky exchange -r -n “CN=<CertificateName>” -pe -a sha1 -len 2048 -ss My “<CertificateName>.cer”

3.) Upon receiving a Successful response from the command open the “Manage User Certificates” console.

image

4.) Browse to the Personal store and verify the certificate just created is in existence.image

Exporting and Uploading the Certificate to Azure

Once you have the certificate created, you’ll need to export a copy of it in .CER format to upload to Azure. By doing this, you’re allowing Azure to verify that a connection coming from your machine is valid and should be trusted.

The certificate that you export shouldn’t contain your private key, so be careful. If you export a copy of your certificate with a private key and someone were to get a hold of that certificate, they could pretend to be YOU in Azure’s eyes, opening up possibility for a security breach.

1.) From the Certificate Store console, right click on the certificate created in the above procedure and select All Tasks –> Export

image

2.) At the first step of the Certificate Export wizard read the information presented and click Next. The next step will allow you the choice to export the private key. Be sure to select No, do not export the private key.

image

3.) On the Export File Format screen, choose one of the options that results in an exported certificate in the .CER format. I chose the first option for my exported certificate.

image

4.) Provide a filename for the exported certification and click next. Review the options and click finish to complete the export of your certificate.

image

5.) To upload the certificate to your Azure subscription, first you’ll need to login to the Azure Management Portal. Once successfully logged in, open the Subscriptions menu and select Manage Subscriptions/Directory.

image

6.) On the Subscriptions Settings page, navigate to the Management Certificates section and click the Upload button on the bottom menu.

image

 

7.) Browse to the exported certificate created in the steps above and click the checkmark to upload the certificate.

image

Configuring Azure PowerShell Environment on Local Machine

With the personal certificate created and uploaded to your Windows Azure subscription the final step is to add this subscription to your PowerShell environment and configure options for it’s default use.

To complete the following steps you’ll need to have the Windows Azure PowerShell cmdlets installed. You can choose to use either the Windows Azure PowerShell command line or the PowerShell ISE for this next task.

1.) Before you being entering PowerShell code, you’ll need to collect two pieces of information. First the Certificate Thumbprint. This is found by Opening the certificate created earlier, browsing to the Details tab and looking for the Thumbprint property. Copy all of the characters from the thumbprint and remove the spaces. Set this aside for a minute.

image

2.) The second piece of information you need to collect is the Windows Azure Subscription ID. This is found on the Azure Management Portal in Subscription Settings – the same page you used above to upload the certificate. Copy the SubscriptionID and set it aside for a minute.

image

3.) Back to your PowerShell window. First you need to create a variable to hold your certificate and execute an Azure cmdlet to add the Subscription to your local configuration. The following two lines of PowerShell code take care of this.

Note that the path to the certificate assumes that you’ve created the certificate the same way as above, so it’s stored in your Personal certificate store. Modify the code below if you have it stored in a different location.

$cert = Get-Item “Cert:\CurrentUser\My\<CertificateThumbprint>”

Set-AzureSubscription -SubscriptionName <EnterSubscriptionName>
-SubscriptionId <SubscriptionID> -cert $cert

4.) To verify the subscription was added correctly, run the following command. This command will return a list of all subscriptions configured on your machine.

Get-AzureSubscription

5.) With the subscription now added, you need to select it and optionally set it as default. If set as default, it will be active upon opening a new Azure PowerShell window – a great option if you want to be able to open a command prompt and begin administering Azure right away. To do this, use the following command.

Note, you can add the –default option to make this the default subscription as described above

Select-AzureSubscription –SubscriptionName <EnterSubscriptionName>

6.) Now that the new Subscription is created, selected, it’s time to test. You can run a command like the following to verify that your new certificate enabled subscription is working properly.

Get-AzureVM

or

Get-AzureAccount

Conclusion

With the certificates now installed and your PowerShell environment configured it will be easier than ever to administer your Azure environment. You can even import multiple personal certificates to your Azure environment, so if you have multiple machines you can configure them all for easy access to your cloud environment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: