In years past, technical documentation would often brush off important steps in building a web app--for example, how to authenticate. The docs would simply say that it was an implementation detail that you know how to do anyway, so it was out of scope for the discussion. That may be, but it would have been nice to link to a simple hot-to. Recently I've been advocating for this kind of completeness of explanation for every step along the way in procedures and demos.
A common way to do authentication is to create and use a certificate. In this post we'll demonstrate creating and using a management certificate to authenticate with an Azure subscription.
Create a certificate for Azure using makecert
The Azure SDK for Java uses management certificates to
authenticate with Azure subscriptions. These are X.509 v3 certificates you use
to authenticate a client application that uses the Service Management API to
act on behalf of the subscription owner to manage subscription resources.
The website creation code in this procedure uses a self-signed
certificate to authenticate with Azure. For this procedure, you need to create
a certificate and upload it to the Azure Management Portal (AMP) beforehand.
This involves the following steps:
- Generate a certificate (CER file).
- Upload the CER file to your Azure subscription.
- Locally save the PFX file representing your
client certificate.
- Convert the PFX file into JKS, because Java uses
that format to authenticate via certificates.
- Write the application's authentication code,
which refers to the path of the local JKS file.
Create a certificate
To create your own self-signed certificate, open
a Visual Studio command prompt as an administrator, cd to a directory in which
you want to store certificates (such as C:\Certificates), and run the following
command:
makecert -sky exchange -r -n
"CN=<certificate_name>" -pe -a sha1 -len 2048 -ss My "<certificate_name>.cer"
For more info, see Create and Upload
a Management Certificate for Azure.
Upload the certificate
To upload a certificate to Azure, go to the Settings page in the Azure Management
Portal, then click the Management
Certificates tab. Click Upload
at the bottom of the page and browse to the location of the CER file you
created.
Export the certificate as a PFX file
- Open the Certificate Manager snap-in for the management console by typing certmgr.msc in the Start menu textbox. (Or create a shortcut to C:\Windows\System32\certmgr.msc.)
- You should see the certificate listed under Personal > Certificates. When makecert creates a certificate, it also registers it in the Personal Certificates store. If your certificate is not listed, import your X.509 certificate.
- Export the certificate by right-clicking the certificate in the right pane, and selecting All Tasks > Export.
- In the Certificate Export Wizard, on the first page, click Next; on the second page, select Yes, export the private key; on the third page, select Personal Information Exchange - PKCS #12 (.PFX) and Include all certificates in the certification path if possible; on the fourth page, click Password and provide a password; on the fifth page, specify the full path to the PFX file that the wizard will export. Click Next.
- Click Finish to generate the PFX file.
Convert the PFX file into JKS
In the Windows Command Prompt (running as admin), cd to the directory containing the certificates and run the following command, where <JavaDir> is the directory in which you installed Java on your computer:
c:\<JavaDir>\jdk1.8.0_11\bin\keytool.exe -importkeystore
-srckeystore c:\certificates\<CertificateName>.pfx
-destkeystore c:\certificates\<CertificateName>.jks
-srcstoretype pkcs12 -deststoretype JKS
When prompted, enter the destination keystore password; this will be the password for the JKS file. When prompted, enter the source keystore password; this is the password you specified for the PKS file. The two passwords don't have to be the same.
Note that the computer on which you run this command must have the JDK installed. Also, the path to the keytool depends on the location in which you install the JDK. For more information, see Key and Certificate Management Tool in the Java online docs.
Create a certificate for Azure using keytool
The Azure SDK for Java uses management certificates to authenticate with Azure subscriptions. These are X.509 v3 certificates you use to authenticate a client application that uses the Service Management API to act on behalf of the subscription owner to manage subscription resources.
The website creation code in this procedure uses a self-signed certificate to authenticate with Azure. For this procedure, you need to create a certificate and upload it to the Azure Management Portal (AMP) beforehand. This involves the following steps:
• Generate a PFX file representing your client certificate and save it locally.
• Generate a management certificate (CER file) from the PFX file.
• Upload the CER file to your Azure subscription.
• Convert the PFX file into JKS, because Java uses that format to authenticate using certificates.
• Write the application's authentication code, which refers to the local JKS file.
When you complete this procedure, the CER certificate will reside in your Azure subscription and the JKS certificate will reside on your local drive. For more info on management certificates, see Create and Upload a Management Certificate for Azure.
Create a certificate
To create your own self-signed certificate, open a command
console on your operating system and run the following commands.
Note: The computer on which you run this command
must have the JDK installed. Also, the path to the keytool depends on the
location in which you install the JDK. For more information, see Key
and Certificate Management Tool (keytool) in the Java online docs.
To create the .pfx file:
<java-install-dir>/bin/keytool -genkey -alias
AzureRemoteAccess
-keystore
<cert-store-dir>/<cert-file-name>.pfx -storepass <password>
-validity 3650 -keyalg RSA
-keysize 2048 -storetype pkcs12
-dname "CN=Self
Signed Certificate 20141118170652"
To create the .cer file:
<java-install-dir>/bin/keytool -export -alias
AzureRemoteAccess
-storetype pkcs12
-keystore <cert-store-dir>/<cert-file-name>.pfx
-storepass
<password> -rfc -file <cert-store-dir>/<cert-file-name>.cer
where:
<java-install-dir> is the
path to the directory in which you installed Java.
<alias> is the keystore
entry identifier.
<cert-store-dir> is the
path to the directory in which you want to store certificates (for example C:/Certificates).
<cert-file-name> is the
name of the certificate file (for example AzureWebDemoCert).
<password> is the
password you choose to protect the certificate; it must be at least 6
characters long. You can enter no password, although this is not recommended.
<dname> is the X.500
Distinguished Name to be associated with alias, and is used as the issuer and
subject fields in the self-signed certificate.
For more info, see Create and Upload
a Management Certificate for Azure.
Upload the certificate
To upload a self-signed certificate to Azure, go
to the Settings page in the Azure
Management Portal, then click the Management
Certificates tab. Click Upload
at the bottom of the page and navigate to the location of the CER file you
created.
Convert the PFX file into JKS
In the Windows Command Prompt (running as admin), cd to the
directory containing the certificates and run the following command, where <java-install-dir> is the directory in
which you installed Java on your computer:
<java-install-dir>/bin/keytool.exe -importkeystore
-srckeystore
<cert-store-dir>/<cert-file-name>.pfx
-destkeystore
<cert-store-dir>/<cert-file-name>.jks
-srcstoretype pkcs12
-deststoretype JKS
- When prompted, enter the destination keystore password; this will be the password for the JKS file.
- When prompted, enter the source keystore password; this is the password you specified for the PFX file.
The two passwords don't have to be the same. You
can enter no password, although this is not recommended.