Tuesday, April 15, 2014

Private domain SSL setup on Winodws Azure VM

Nine years of programming life, and finally I got the chance to setup the domain & SSL on my own. Usually I work in enterprises, this will be done by MIS guy and programmer will be shut-off from production environment. With the new job and as a new back-end department pioneer, here comes the opportunities.

For the first few steps, I'll show more on hosting with Windows Azure, if any other hosting company, the steps will be roughly the same.

1) Hosting with Windows Azure: You have to purchase a cloud server. My case I use: http://azure.microsoft.com/en-us/. You can start with trial plan but it will not last long, at most few days only. Here're the few links you can start with:


It's highly recommended that you use new IE (I use IE9) for accessing Windows Azure, even for service payment. Most of the standard browsers do not work well with IE-only Windows Azure.

2) Hosting with Windows Azure: Your web binary files can be deployed through FTP, and this is the steps: http://www.intstrings.com/ramivemula/articles/enable-ftp-access-on-windows-azure-vm/

3) Hosting with Windows Azure: Remember to open the Azure HTTPS endpoints (usually is port 443) of the server:


4) Domain with GoDaddy: For hosting with Azure server, you'll get a sub-domain that looks like this: xxx.cloudapp.net. But for a HTTPS to be worked, you need your own private domain. No choice but have to buy one. My company bought one at: http://my.godaddy.com/. Mind you, there's no such thing called customer service in GoDaddy, everything is on your own. When you get the domain, go to: https://mya.godaddy.com/default.aspx?prog_id=GoDaddy&.


Click on the "Launch" near the domain and you will see the domain you purchased.


5) Domain with GoDaddy: For hooking up the domain and the Windows Azure server, some details is on here: http://blog.smarx.com/posts/custom-domain-names-in-windows-azure. The latest GoDaddy site might looks like this. Click on the "Manage" near the "Forwarding".


Add one entry of your domain here.



Click on the "DNS Zone". Change the Host,"@" to Windows Azure Virtual IP & CName,"www" to Azure DNS name. You can get this from Windows Azure Dashboard.





6) Domain & Hosting: After the TTL period, you can go to the website through the domain. You will get the standard IIS welcome page that looks like this:


7) Domain & Hosting: You have to go back to Azure IIS and add this domain to the website. Click "Add Web Site".


On the new website added, click "Bindings" and key-in the domain info.

And your website should be browsable by now.


8) SSL with GoDaddy: Now we come to final part, which is SSL. Purchase the SSL from GoDaddy. Create the certificate by following this link: http://azure.codegrains.com/2013/07/step-by-step-guide-for-implementing.html (until step 8). It takes only few minutes for SSL to be signed.


Install the SSL certificate by following this link: [To Install an SSL Certificate in Microsoft IIS 7] http://support.godaddy.com/help/article/4801/installing-an-ssl-certificate-in-microsoft-iis-7?locale=en&countrysite=my&pc_split_value=4

9) SSL: Do not forget the HTTPS binding in the new website.


And your site should be browsable through HTTPS by now.


10) SSL: After the SSL is setup, you can check your SSL security level on your server. Here're the few websites that you can check:

  1. https://sslcheck.casecurity.org/en_US (you might need to clear your cache after your first run)
  2. https://www.ssllabs.com/ssltest/analyze.html
  3. http://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm

11) SSL: With default settings on Windows Server 2008 R2, most probably you'll be getting an "F".


it's because of SSL version 2 is not disabled on server. Here're the links that you can refer to.
  1. http://support.microsoft.com/kb/187498
  2. http://hosting.com/support/pci-security-scan/disable-sslv2-for-microsoft-iis7-under-windows-server-2008-64bit/
  3. http://blogs.msdn.com/b/httpcontext/archive/2012/02/17/how-to-disable-ssl-2-0-on-windows-server-2008-r2.aspx
12) SSL: After adding new entries on registry and restart the server, I got this, a "B".


13) Done! Phew, what a long way.