我的Azure Web角色中的SSL证书是“不可信任”的。 [英] SSL certificate in my Azure Web Role is "not trusted"

问题描述

我的Azure网络角色中安装了GoDaddy SSL证书。它适用于大多数客户，但有些客户抱怨证书不受信任。特别是，我有一个Azure Scheduler作业连接到我的Web角色定期POST到https端点，但POST失败。经过一番调查后发现POST失败了，因为SSL证书不可信。

I have a GoDaddy SSL certificate installed in my Azure web role. It works for most clients, but some clients complain that the certificate is "not trusted". In particular, I have an Azure Scheduler Job wired up to periodically POST to an https endpoint in my web role, but the POST fails. After some investigation, it turns out that the POST fails because the SSL certificate is "not trusted".

我的SSL证书没有完全正确连接的事实也是通过使用此工具检查我的域名进行验证：

The fact that my SSL certificate is not wired up completely correctly is also verified by examining my domain using this tool:

https： //www.digicert.com/help

我知道很多客户端（网络浏览器）都有GoDaddy证书链（即中间）从我的SSL证书到GoDaddy根CA的证书烘焙到它们中。但是一些客户端（例如Azure Scheduler）希望我的Web服务器不仅提供我的SSL证书，还提供直到根CA的所有中间证书。

I understand that many clients (web browsers) have the GoDaddy certificate chain (that is, the "intermediate" certificates that get from my SSL certificate to the GoDaddy root CA) baked into them. But some clients (such as the Azure Scheduler) expect my web server to provide not only my SSL certificate but also all of the intermediate certificates up to the root CA.

如何在Azure网络角色中包含中间证书吗？

How do I include the intermediate certificates in my Azure web role?

注意：我问这个问题是为了自己回答这个问题（现在我已经努力了一周算出来。）

Note: I am asking this question with the intent of answering it myself (now that I've struggled for a week to figure it out).

推荐答案

答案概述

您需要手动将中间证书添加到Web角色证书（在Visual Studio中），并且需要将中间证书上载到Azure Web角色。

You need to manually add the intermediate certificates to the Web role "certificates" (in Visual Studio), and you need to upload the intermediate certificates to your Azure Web Role.

步骤1：将p7b文件转换为pfx以上传到Azure

此步骤源自< a href =https://blogs.msdn.microsoft.com/waws/2015/12/02/add-an-ssl-certificate-to-an-azure-web-app-crt-and-p7b/ =nofollow noreferrer>这篇文章。

1. 从GoDaddy下载您的证书文件。这会为您提供一个包含 crt 文件和 p7b 文件的zip文件。 crt文件包含您的SSL证书，但在完成CSR请求之前，它尚未完全出炉。请参阅下文了解详情。 p7b文件包含GoDaddy中间证书。


2. 使用crt文件完成CSR请求。有关详细信息，请参阅此SO答案。


3. 打开Windows证书管理器（certlm。 msc）


4. 将p7b文件导入本地计算机/中级证书颁发机构/证书节点。


5. 将SSL证书及其依赖项导出为.PFX文件。如果使用证书管理器（certlm.msc）导出证书，则此步骤有效，但如果使用IIS管理器导出证书，则无法（据我所知）。在个人/证书节点中找到您的SSL证书，右键单击，然后选择所有任务... /导出。告诉向导导出私钥，并在路径和所有扩展属性中包含所有证书。

1. Download your certificate files from GoDaddy. That gets you a zip file that contains a crt file and a p7b file. The crt file contains your SSL certificate, but it's not fully baked until you complete the CSR request. See below for details. The p7b file contains the GoDaddy intermediate certificates.
2. Complete the CSR request using the crt file. See this SO answer for details.
3. Open the Windows Certificate Manager (certlm.msc)
4. Import the p7b file into the Local computer/Intermediate Certifcation Authorities/Certificates node.
5. Export the SSL certificate and its dependencies as a .PFX file. This step works if you export the certificate using Certificate Manager (certlm.msc), but not (as far as I can tell) if you export the certificate using IIS Manager. Find your SSL certificate in the Personal/Certificates node, right-click, and select All tasks.../Export. Tell the wizard to export the private key, and include all certificates in the path and all extended properties.

步骤2：将证书上载到Azure Web角色

将您在上一步中创建的pfx文件上载到Azure Web角色中的证书。这会将您的SSL证书和所有中间证书直到根CA 添加到您的Azure Web角色。

Upload the pfx file that you created in the previous step to the Certificates in your Azure Web Role. This will add your SSL certificate and all of the intermediate certificates up to the root CA to your Azure web role.

第3步：将证书添加到Web角色项目

此步骤源自这篇文章。

1. 在Visual Studio中，导航到您的Web角色（解决方案/ Azure项目/角色/您的Web角色），右键单击，然后选择属性


2. 在属性窗口中，选择证书

1. In Visual Studio, navigate to your Web Role (Solution/Azure project/Roles/Your web role), right-click, and select Properties
2. In the Properties window, select Certificates

现在，您需要手动添加新证书（实际上，您只是为每个中间证书添加新证书指纹）。您可以从Azure门户证书网页复制并粘贴指纹，或者（通过一些额外的工作）您可以直接从本地Windows证书存储中获取它们。

Now, you need to manually add a new certificate (actually, you are just adding a new certificate thumbprint) for each intermediate certificate. You can either copy-and-paste the thumbprints from the Azure Portal "Certificates" web page, or (with a little extra work) you can get them directly from the local Windows certificate store.

如果你想在Visual Studio中使用内置的从我的电脑中读取证书魔法来获取指纹，你需要先：

If you want to get the thumbprints using the built-in "read the certificate from my computer" magic in Visual Studio, you need to first:

1. 打开Windows证书管理器（certlm.msc）


2. 将包含中间证书的pfx文件导入个人/证书 node

1. Open the Windows Certificate Manager (certlm.msc)
2. Import the pfx file containing your intermediate certificates into the Personal/Certificates node

同时，回到Visual Studio，每个中间证书：

Meanwhile, back in Visual Studio, for each intermediate certificate:

1. 点击添加证书，然后


2. 输入一个有意义的中间证书名称（该名称仅供参考;不使用任何事情）


3. 将商店名称设置为CA.


4. 输入证书指纹。您可以从Azure门户中的Web角色/证书页面复制并粘贴它，或者，如果您已将证书导入个人证书存储区（如上所述），则可以通过单击指纹中的省略号来获取它。选择证书。

1. Click "Add certificate", then
2. Enter a meaningful name for the intermediate certificate (the name is for your reference only; it's not used for anything)
3. Set the Store Name to CA.
4. Enter the certificate Thumbprint. You can copy-and-paste it from the Web Role/Certificates page in the Azure portal, or, if you've imported the certificates into your personal certificate store (as described above) you can get it by clicking the ellipses in the Thumbprint box and selecting the certificate.

第4步：发布和测试

哇。所以，现在你已经将p7b和crt文件转换为包含SSL证书和GoDaddy证书的pfx文件。您已将证书上载到Azure，并已将它们添加到Visual Studio项目中。

Whew. So, now you've converted the p7b and crt files to a pfx file that contains your SSL certificate plus the GoDaddy certificates. You've uploaded the certificates to Azure, and you've added them to your Visual Studio project.

将新项目发布到Azure。您可以使用以下任一在线工具测试您网站的SSL：

Publish your new project to Azure. You can test your website's SSL using either of these online tools:

https://www.sslshopper.com/ssl-checker.html

https://www.digicert.com/help

这篇关于我的Azure Web角色中的SSL证书是“不可信任”的。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！