A common way to do authentication is to create and use a certificate. In this post we'll demonstrate creating and using a management certificate to authenticate with an Azure subscription.
Create a certificate for Azure using makecert
The Azure SDK for Java uses management certificates to authenticate with Azure subscriptions. These are X.509 v3 certificates you use to authenticate a client application that uses the Service Management API to act on behalf of the subscription owner to manage subscription resources.
The website creation code in this procedure uses a self-signed
certificate to authenticate with Azure. For this procedure, you need to create
a certificate and upload it to the Azure Management Portal (AMP) beforehand.
This involves the following steps:
- Generate a certificate (CER file).
- Upload the CER file to your Azure subscription.
- Locally save the PFX file representing your client certificate.
- Convert the PFX file into JKS, because Java uses that format to authenticate via certificates.
- Write the application's authentication code, which refers to the path of the local JKS file.
When you complete this procedure, the CER certificate will
reside in your Azure subscription and the JKS certificate will reside on your
local drive. For more info on certificates, see Create and Upload
a Management Certificate for Azure.
Create a certificate
To create your own self-signed certificate, open a Visual Studio command prompt as an administrator, cd to a directory in which you want to store certificates (such as C:\Certificates), and run the following command:
makecert -sky exchange -r -n
"CN=<certificate_name>" -pe -a sha1 -len 2048 -ss My "<certificate_name>.cer"
For more info, see Create and Upload a Management Certificate for Azure.
Upload the certificate
To upload a certificate to Azure, go to the Settings page in the Azure Management Portal, then click the Management Certificates tab. Click Upload at the bottom of the page and browse to the location of the CER file you created.
Export the certificate as a PFX file
Next, export the certificate as a PFX file using the Certificate
Manager (certmgr.msc):
- Open the Certificate Manager snap-in for the management console by typing certmgr.msc in the Start menu textbox. (Or create a shortcut to C:\Windows\System32\certmgr.msc.)
- You should see the certificate listed under Personal > Certificates. When makecert creates a certificate, it also registers it in the Personal Certificates store. If your certificate is not listed, import your X.509 certificate.
- Export the certificate by right-clicking the certificate in the right pane, and selecting All Tasks > Export.
- In the Certificate Export Wizard, on the first page, click Next; on the second page, select Yes, export the private key; on the third page, select Personal Information Exchange - PKCS #12 (.PFX) and Include all certificates in the certification path if possible; on the fourth page, click Password and provide a password; on the fifth page, specify the full path to the PFX file that the wizard will export. Click Next.
- Click Finish to generate the PFX file.
Convert the PFX file into JKS
In the Windows Command Prompt (running as admin), cd to the directory containing the certificates and run the following command, where <JavaDir> is the directory in which you installed Java on your computer:
c:\<JavaDir>\jdk1.8.0_11\bin\keytool.exe -importkeystore
-srckeystore c:\certificates\<CertificateName>.pfx
-destkeystore c:\certificates\<CertificateName>.jks
-srcstoretype pkcs12 -deststoretype JKS
When prompted, enter the destination keystore password; this will be the password for the JKS file. When prompted, enter the source keystore password; this is the password you specified for the PKS file. The two passwords don't have to be the same.
Note that the computer on which you run this command must have the JDK installed. Also, the path to the keytool depends on the location in which you install the JDK. For more information, see Key and Certificate Management Tool in the Java online docs.
Create a certificate for Azure using keytool
The Azure SDK for Java uses management certificates to authenticate with Azure subscriptions. These are X.509 v3 certificates you use to authenticate a client application that uses the Service Management API to act on behalf of the subscription owner to manage subscription resources.
The website creation code in this procedure uses a self-signed certificate to authenticate with Azure. For this procedure, you need to create a certificate and upload it to the Azure Management Portal (AMP) beforehand. This involves the following steps:
• Generate a PFX file representing your client certificate and save it locally.
• Generate a management certificate (CER file) from the PFX file.
• Upload the CER file to your Azure subscription.
• Convert the PFX file into JKS, because Java uses that format to authenticate using certificates.
• Write the application's authentication code, which refers to the local JKS file.
When you complete this procedure, the CER certificate will reside in your Azure subscription and the JKS certificate will reside on your local drive. For more info on management certificates, see Create and Upload a Management Certificate for Azure.
Create a certificate
To create your own self-signed certificate, open a command
console on your operating system and run the following commands.
Note: The computer on which you run this command
must have the JDK installed. Also, the path to the keytool depends on the
location in which you install the JDK. For more information, see Key
and Certificate Management Tool (keytool) in the Java online docs.
To create the .pfx file:
<java-install-dir>/bin/keytool -genkey -alias
AzureRemoteAccess
-keystore
<cert-store-dir>/<cert-file-name>.pfx -storepass <password>
-validity 3650 -keyalg RSA
-keysize 2048 -storetype pkcs12
-dname "CN=Self
Signed Certificate 20141118170652"
To create the .cer file:
<java-install-dir>/bin/keytool -export -alias
AzureRemoteAccess
-storetype pkcs12
-keystore <cert-store-dir>/<cert-file-name>.pfx
-storepass
<password> -rfc -file <cert-store-dir>/<cert-file-name>.cer
where:
<java-install-dir> is the
path to the directory in which you installed Java.
<alias> is the keystore
entry identifier.
<cert-store-dir> is the
path to the directory in which you want to store certificates (for example C:/Certificates).
<cert-file-name> is the
name of the certificate file (for example AzureWebDemoCert).
<password> is the
password you choose to protect the certificate; it must be at least 6
characters long. You can enter no password, although this is not recommended.
<dname> is the X.500
Distinguished Name to be associated with alias, and is used as the issuer and
subject fields in the self-signed certificate.
To upload a self-signed certificate to Azure, go to the Settings page in the Azure Management Portal, then click the Management Certificates tab. Click Upload at the bottom of the page and navigate to the location of the CER file you created.
Convert the PFX file into JKS
In the Windows Command Prompt (running as admin), cd to the
directory containing the certificates and run the following command, where <java-install-dir> is the directory in
which you installed Java on your computer:
<java-install-dir>/bin/keytool.exe -importkeystore
-srckeystore
<cert-store-dir>/<cert-file-name>.pfx
-destkeystore
<cert-store-dir>/<cert-file-name>.jks
-srcstoretype pkcs12
-deststoretype JKS- When prompted, enter the destination keystore password; this will be the password for the JKS file.
- When prompted, enter the source keystore password; this is the password you specified for the PFX file.
The two passwords don't have to be the same. You
can enter no password, although this is not recommended.
