Fixed a serious error in the official documentation for setting up SSL in Microsoft Azure web roles

Good news ^TM : there is a small, but important development of the plot from this post , where there are a lot of letters and a long history that could distract part of the target audience from the need to check and correct the settings. After the infusion of refreshing pool requests, the official documentation was updated to show how to properly configure SSL in Microsoft Azure web roles — one and two . Fixed a serious error in the example settings.

If you are developing or maintaining a cloud service with a web role, it's time to check that the SSL settings are correct and you are not overtaken at the most inopportune moment by a wave of dissatisfaction among users who have EXTREMELY UNEXPECTED without a clear reason to stop establishing a secure connection with your service.

Before correction, the “certificates” section in the sample settings looked like this:

<Certificates> <!--!!!   !!!--> <Certificate name="ProductionCert" storeLocation="LocalMachine" storeName="My"/> </Certificates> 

The use of such settings - indicating only the certificate of service - is a common mistake, in the previous post the possible consequences were explained in detail.
')
TL; DR. During operation of services, certificates issued by so-called certification authorities are used; such certificates are not signed directly by the root certificate of the center, but by an intermediate certificate (and the intermediate certificate is in turn signed by the root certificate). The settings above lead to installation in the repository of service instances only the certificate of the service itself, but not intermediate certificates.

For reliable operation it is also necessary to ensure the installation of intermediate certificates:

 <Certificates> <!-- ! --> <Certificate name="IntermediateForProductionCert" storeLocation="LocalMachine" storeName="CA"/> <!--      ,   --> <Certificate name="ProductionCert" storeLocation="LocalMachine" storeName="My"/> </Certificates> 

After corrections, the official documentation shows examples of the correct settings.

Use on health and do not upset the seals of users.

Dmitry Mescheryakov,
product department for developers