Use certificates with Azure Cloud Services (extended support)

Key Vault is used to store certificates that are associated to Cloud Services (extended support). Key Vaults can be created through the Azure portal and PowerShell. Add the certificates to Key Vault, then reference the certificate thumbprints in Service Configuration file. You also need to enable Key Vault for appropriate permissions so that Cloud Services (extended support) resource can retrieve certificate stored as secrets from Key Vault.

Upload a certificate to Key Vault

  1. Sign in to the Azure portal and navigate to the Key Vault. If you do not have a Key Vault set up, you can opt to create one in this same window.

  2. Select Access Configuration

    Image shows selecting access policies from the key vault blade.

  3. Ensure the access configuration include the following property:

    • Enable access to Azure Virtual Machines for deployment

    Image shows access policies window in the Azure portal.

  4. Select Certificates

    Image shows selecting the certificates option from the key vault blade policies window in the Azure portal.

  5. Select Generate / Import

    Image shows selecting the generate/ import option

  6. Complete the required information to finish uploading the certificate. The certificate needs to be in .PFX format.

    Image shows importing window in the Azure portal.

  7. Add the certificate details to your role in the Service Configuration (.cscfg) file. Ensure the thumbprint of the certificate in the Azure portal matches the thumbprint in the Service Configuration (.cscfg) file.

    <Certificate name="<your cert name>" thumbprint="<thumbprint in key vault" thumbprintAlgorithm="sha1" /> 
    
  8. For deployment via ARM Template, certificateUrl can be found by navigating to the certificate in the key vault labeled as Secret Identifier

    Image shows the secret identifier field in the key vault.

Next steps