Generating Certificates for use with the Windows Azure Management API

February 8, 2011

Windows Azure has a great Management API that service owners may use to perform tasks such as listing storage instances, viewing web roles, and collecting service statistics. In order to use the Management API the service owner must first create a digital certificate and upload it using the Windows Azure Portal (NOTE: I am using the Legacy Portal, which will go away in 2011). A .pfx file is uploaded and with each service request from the client a .pem file must be supplied to prove the client has authorization to use the service. Being a Linux user programming on Windows 7 I had no idea how to create a certificate. There is a utility supplied with the Windows SDK called ‘makecert’ which is supposed to be able to create the certificates needed. In fact Convective has a great article on using the Management API which shows usage of not only the makecert command, but how to use the Management API in general which I highly encourage you to read. Anyways, I struggled getting it to work so I dropped back to Linux and used the ‘openssl’ command, which should be available for Windows as well, but I already had access to a Linux machine and it was faster to do it that way. Creating the .pfx and the .pem is trivial and can be done in two commands. Here they are

Create .pem

openssl req \
  -x509 -nodes -days 365 \
  -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

Create .pfx

openssl pkcs12 -export \
  -out mycert.pfx -in mycert.pem \
  -name "My Certificate"

Viola! Upload those through the Portal and you should be good to go.

EDIT (03-02-2011): After going through all this trouble I found another section of the Portal which allows you to upload the .cer, which is what ‘makecert’ give you. If you select your hosted account and manage the certificates there you must use a .pfx, however if you use the ‘Account’ tab you can use the .cer. You need the .cer and not the .pfx. It is a little confusing as there are two places to upload certificates. The original location I used was on the hosted service, this is not the location of a certificate for the Management API. That is located at the account level. Click the Account tab (Legacy Portal) then View My API Certificates. Here you will upload a .cer file which will allow you to call the Management API at your leisure.

Of course you will need the .cer to do this, and if you followed above you only have a .pfx and a .pem. The following command will give you a .cer you can use. Of course you could always skip these step and use the ‘makecert’ command to generate the .cer for you directly :D.

Create .cer

openssl x509 -inform pem -in mycert.pem -outform der -out mycert.cer

2 thoughts on “Generating Certificates for use with the Windows Azure Management API

  1. Patrick (June 10, 2013)


    if you need it for azure backup, you can still use it with a rsa: 2048 and within openssl.cnf you need to add extendedKeyUsage = clientAuth,serverAuth

    I used openssl, as i couldn’t get makecert anywhere, the link from microsoft to the technet gallery is not accesible anymore and didn’t want to install full sku.

  2. control Windows Azure Virtual Machines from my own PHP server - Windows Azure Blog