Monday, June 25, 2012

Create a Cert for Azure with MakeCert.exe

I have been working with Azure a lot as of late. One of the tasks I have had to do a few times is create a cert I can upload and that my Azure web role can use. I have gotten tired of always trying to remember the right command line to do this. By default MakeCert creates a 1024 bit cert which is no longer a valid bit size for IIS. If you don’t change this default and try and upload and use that cert your web role will continue to crash on you and never fully initialize (A fact I found out painfully. FYI, if you have this issue I not only need to create a cert with 2048 bit size but I need to change the cert name in my web role config.). So, if you have an Azure web role that keeps crashing on you and it is not for the standard reason of missing assembly that was not set to copy local, check your certs.

Now on to the good stuff. Here is the command line I am using.

makecert –r –pe –a sha1 –n “CN=<your name here>” –ss My –len 2048 –sp “Microsoft Enhanced RSA and AES Cryptographic Provider” –sy 24 <cert name>.cer

This command also, as part of the creation, puts the cert in your local cert store. You can then export the private key (pfx file) via the management console (mmc). I tried to use this cert for my ACS relying party to encrypt the token but it is not a valid cert for key exchange.