Windows Azure for Developers Task 11: Create X.509 certificate for Windows Azure Web Role

Before we will come to know, how to create X.509 certificate for Windows Azure web Role, let us understand why we need a certificate for a role? It authenticates whether an operation on an azure subscription is authenticated or not? Certificates help us for Authentication.

There are two types of certificates

1. Management certificates

2. Service certificates

Management Certificates

This is subscription level certificate. It is independent of any particular hosted service. This stores the certificate for Windows Azure subscription.

X.509 certificates are example of this certificate.

Service certificates

This is hosted service lever certificates. This stores the service for a hosted service.

A personal information exchange certificate is example of this type of certificate.

To create a X.509 certificate, First step you need to do is Open Visual Studio command prompt. Go to Start and open Visual Studio 2010 Tools and select Visual Studio Command Prompt


If you want to explore different basic options available with makercert command.

Run the command

MakeCert -?


To create a certificate we can run the command with any combination of options available with MakeCert.exe .

I am creating a certificate here with the name debugmode.


In command prompt, it would look like,


Explanation of various options I am using in above command is as below,


Specifies the subject key type. It may be exchange type or signature type. It can be any integer type to represent a provider type.


This option creates a self-signed certificate


This option provides certificate name. Naming convention must adhere to X.509 certificate standard. The simplest way to provide certificate name is to put the name in double quotes as like “CN=Certificatename”


Allow the private key to be part of the certificate such that later it can be exported


Specifies the algorithm type. It could be SHA1 or MD5 . By default it is MD5


Specifies certificate store name.

After running above command you can find a X.509 certificate with name debugmode has been created in the folder C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC.

Right click on the certificate and you will get an option to install certificate


If you select to install, certificate install wizard will get open to you.


Either you can choose the store for the certificate or leave wizard to search a store for you.


There is one more way to create X.509 certificate using IIS. Open Inetmgr


In center you will get an option of Server Certificates. Double click on that.


At left pane you will get option to create a server certificate. Select Create Self-Signed Certificate


Just follow the wizard to create the self-signed certificate


These are two ways to create X.509 certificates. Tune in for the next post.

11 responses to “Windows Azure for Developers Task 11: Create X.509 certificate for Windows Azure Web Role”

  1. When I did this the certificate would not upload to Azure portal. Error stated a .CER file cannot be uploaded.

  2. When I did this with Visual Studio 2010 the certificate would not upload to Azure portal. Error stated a .CER file cannot be uploaded.

  3. Hi TOm ,

    Could you please tell me where you are trying to upload ? there are two location you can upload the certificae . For certificate with extension .Cer you can uplaod them only to Mange API certificate tab .. please revert if need any more calrification

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s