Home
%3CLINGO-SUB%20id%3D%22lingo-sub-401403%22%20slang%3D%22en-US%22%3EHow%20To%20Create%20a%20Self%20Signed%20Certificate%20in%20Azure%20using%20Cloud%20Shell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401403%22%20slang%3D%22en-US%22%3E%3CP%3EOften%20we%20need%20self%20signed%20certificates%20when%20spinning%20up%20test%20apps%20or%20other%20workload%20in%20Azure.%20Rather%20than%20mucking%20about%20with%20makecert.exe%20and%20uploading%20the%20relevant%20certificate%20files%20to%20Azure%20or%20configuring%20a%20temporary%20certificate%20from%20a%20CA%20that%20you%20are%20running%2C%20you%20can%20easily%20use%20Cloud%20Shell%20to%20create%20your%20own%20self%20signed%20certificate%20using%20the%20openssl%20command%20line%20utility.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20following%20example%20you%20create%20a%20self%20signed%20x509%20certificate%20called%20selfsigncert.crt%20and%20then%20export%20it%20as%20a%20file%20in%20pfx%20format.%20To%20do%20this%2C%20perform%20the%20following%20steps%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EOpen%20Cloud%20Shell%3C%2FLI%3E%0A%3CLI%3EEnter%20the%20following%20code%20into%20Cloud%20Shell%20to%20create%20a%20self%20signed%20certificate%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CPRE%3Eopenssl%20req%20-x509%20-sha256%20-nodes%20-days%20365%20-newkey%20rsa%3A2048%20-keyout%20privateKey.key%20-out%20selfsigncert.crt%3C%2FPRE%3E%0A%3COL%20start%3D%223%22%3E%0A%3CLI%3EProvide%20the%20following%20information%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CUL%3E%0A%3CLI%3ECountry%20Name%20(2%20letter%20code)%20%5B%5D%3A%3C%2FLI%3E%0A%3CLI%3EState%20or%20Province%20Name%20(full%20name)%20%5BSome-State%5D%3A%3C%2FLI%3E%0A%3CLI%3ELocality%20Name%20(eg%2C%20city)%20%5B%5D%3A%3C%2FLI%3E%0A%3CLI%3EOrganization%20Name%20(eg%2C%20company)%20%5BInternet%20Widgits%20Pty%20Ltd%5D%3A%3C%2FLI%3E%0A%3CLI%3EOrganizational%20Unit%20Name%20(eg%2C%20section)%20%5B%5D%3A%3C%2FLI%3E%0A%3CLI%3ECommon%20Name%20(e.g.%20server%20FQDN%20or%20YOUR%20name)%20%5B%5D%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3COL%20start%3D%224%22%3E%0A%3CLI%3EExport%20the%20certificate%20by%20running%20the%20following%20command%20in%20Cloud%20Shell%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CPRE%3Eopenssl%20pkcs12%20-export%20-out%20selfsigncert.pfx%20-inkey%20privateKey.key%20-in%20selfsigncert.crt%3C%2FPRE%3E%0A%3COL%20start%3D%225%22%3E%0A%3CLI%3EProvide%20a%20password%20for%20the%20certificate.%3C%2FLI%3E%0A%3CLI%3EOnce%20you%20have%20the%20certificate%20files%2C%20copy%20them%20across%20to%20your%20clouddrive%20to%20ensure%20that%20the%20certificate%20files%20persist%20after%20you%20finish%20your%20cloud%20shell%20session.%20As%20clouddrive%20can%20be%20mounted%20as%20a%20file%20share%2C%20this%20allows%20you%20to%20import%20the%20certificate%20into%20running%20IaaS%20VMs%20should%20you%20so%20choose.%3C%2FLI%3E%0A%3CLI%3EYou%20can%20copy%20the%20certificate%20files%20to%20the%20cloud%20drive%20with%20the%20following%20command%3A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CPRE%3Ecp%20*%20.%2Fcloudrive%2F.%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-401403%22%20slang%3D%22en-US%22%3E%3CP%3EOften%20we%20need%20self%20signed%20certificates%20when%20spinning%20up%20test%20apps%20or%20other%20workload%20in%20Azure.%20Rather%20than%20mucking%20about%20with%20makecert.exe%20and%20uploading%20the%20relevant%20certificate%20files%20to%20Azure%20or%20configuring%20a%20temporary%20certificate%20from%20a%20CA%20that%20you%20are%20running%2C%20you%20can%20easily%20use%20Cloud%20Shell%20to%20create%20your%20own%20self%20signed%20certificate%20using%20the%20openssl%20command%20line%20utility.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20900px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F111104i79D7AF772C475768%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Azure_Cloud_Shell.png%22%20title%3D%22Azure_Cloud_Shell.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAzure%20Cloud%20Shell%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-401403%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-504267%22%20slang%3D%22en-US%22%3ERe%3A%20How%20To%20Create%20a%20Self%20Signed%20Certificate%20in%20Azure%20using%20Cloud%20Shell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-504267%22%20slang%3D%22en-US%22%3E%3CP%3EAnd%20if%20you%20are%20a%20powershell%20person%20you'd%20start%20a%20powershell%20shell%20then%20do%20new-selfsignedcertificate!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fpkiclient%2Fnew-selfsignedcertificate%3Fview%3Dwin10-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fpkiclient%2Fnew-selfsignedcertificate%3Fview%3Dwin10-ps%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-804876%22%20slang%3D%22en-US%22%3ERe%3A%20How%20To%20Create%20a%20Self%20Signed%20Certificate%20in%20Azure%20using%20Cloud%20Shell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-804876%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44446%22%20target%3D%22_blank%22%3E%40Tony%20Roth%3C%2FA%3Eunfortunately%20new-selfsignedcertificate%20doesn't%20seem%20to%20be%20available%20on%20Cloud%20Shell...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-805606%22%20slang%3D%22en-US%22%3ERe%3A%20How%20To%20Create%20a%20Self%20Signed%20Certificate%20in%20Azure%20using%20Cloud%20Shell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-805606%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F392284%22%20target%3D%22_blank%22%3E%40thomaslevesque%3C%2FA%3E%26nbsp%3BIf%20you%20have%20powershell%20loaded%20in%20Cloud%20Shell%20(pwsh)%20and%20run%20the%20following%20to%20import%20the%20PSPKI%20module%20from%20the%20Azure%20Gallery%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EPS%20Azure%3A%5C%26gt%3B%20install-module%20-name%20pspki%3C%2FPRE%3E%0A%3CP%3Eyou%20then%20get%20access%20to%20new-selfsignedcertificateex%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F127032i0A6A625961DB9B52%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-806207%22%20slang%3D%22en-US%22%3ERe%3A%20How%20To%20Create%20a%20Self%20Signed%20Certificate%20in%20Azure%20using%20Cloud%20Shell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-806207%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F251291%22%20target%3D%22_blank%22%3E%40OrinThomas%3C%2FA%3E%26nbsp%3B%20thanks!%20I%20had%20tried%20to%20install%20%22PKI%22%20or%20%22PKIClient%22%20but%20couldn't%20find%20the%20right%20module%20name%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-806219%22%20slang%3D%22en-US%22%3ERe%3A%20How%20To%20Create%20a%20Self%20Signed%20Certificate%20in%20Azure%20using%20Cloud%20Shell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-806219%22%20slang%3D%22en-US%22%3E%3CP%3EUnfortunately%26nbsp%3B%3CSPAN%3Enew-selfsignedcertificateex%20doesn't%20seem%20to%20work...%20it%20says%20%22Windows%20XP%20and%20Windows%20Server%202003%20are%20not%20supported!%22%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-806496%22%20slang%3D%22en-US%22%3ERe%3A%20How%20To%20Create%20a%20Self%20Signed%20Certificate%20in%20Azure%20using%20Cloud%20Shell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-806496%22%20slang%3D%22en-US%22%3E%3CP%3EAh%20-%20it%20used%20to%20work%20on%20the%20old%20PowerShell%26nbsp%3B%20cloudshell.%20I%20imagine%20it%20might%20be%20a%20compat%20issue%20that%20will%20eventually%20be%20resolved%2C%20but%20I%20guess%20at%20the%20moment%20it%20doesn't%20work.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-806598%22%20slang%3D%22en-US%22%3ERe%3A%20How%20To%20Create%20a%20Self%20Signed%20Certificate%20in%20Azure%20using%20Cloud%20Shell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-806598%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20it%20did%20use%20to%20work%20in%20the%20old%20powershell%2C%20oh%20well%20not%20like%20its%20something%20I%20use%20everyday%2C%26nbsp%3B%20was%20confused%20about%20the%20extra%20%22Ex%22%20at%20the%20end%20of%20the%20cmdlet%20too.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-807700%22%20slang%3D%22en-US%22%3ERe%3A%20How%20To%20Create%20a%20Self%20Signed%20Certificate%20in%20Azure%20using%20Cloud%20Shell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-807700%22%20slang%3D%22en-US%22%3E%3CP%3Ehas%20anyone%20tried%20%3CA%20href%3D%22https%3A%2F%2Fcertbot.eff.org%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ecertbot%3C%2FA%3Ein%20Azure%20Cloud%20Shell%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Often we need self signed certificates when spinning up test apps or other workload in Azure. Rather than mucking about with makecert.exe and uploading the relevant certificate files to Azure or configuring a temporary certificate from a CA that you are running, you can easily use Cloud Shell to create your own self signed certificate using the openssl command line utility.

 

In the following example you create a self signed x509 certificate called selfsigncert.crt and then export it as a file in pfx format. To do this, perform the following steps:

 

  1. Open Cloud Shell
  2. Enter the following code into Cloud Shell to create a self signed certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out selfsigncert.crt
  1. Provide the following information
  • Country Name (2 letter code) []:
  • State or Province Name (full name) [Some-State]:
  • Locality Name (eg, city) []:
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]:
  • Organizational Unit Name (eg, section) []:
  • Common Name (e.g. server FQDN or YOUR name) []:
  1. Export the certificate by running the following command in Cloud Shell
openssl pkcs12 -export -out selfsigncert.pfx -inkey privateKey.key -in selfsigncert.crt
  1. Provide a password for the certificate.
  2. Once you have the certificate files, copy them across to your clouddrive to ensure that the certificate files persist after you finish your cloud shell session. As clouddrive can be mounted as a file share, this allows you to import the certificate into running IaaS VMs should you so choose.
  3. You can copy the certificate files to the cloud drive with the following command:
cp * ./cloudrive/.

 

8 Comments
Occasional Contributor

And if you are a powershell person you'd start a powershell shell then do new-selfsignedcertificate!

 

https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps

Occasional Visitor

@Tony Rothunfortunately new-selfsignedcertificate doesn't seem to be available on Cloud Shell...

Microsoft

@thomaslevesque If you have powershell loaded in Cloud Shell (pwsh) and run the following to import the PSPKI module from the Azure Gallery

 

PS Azure:\> install-module -name pspki

you then get access to new-selfsignedcertificateex

 

clipboard_image_0.png

 

Occasional Visitor

@OrinThomas  thanks! I had tried to install "PKI" or "PKIClient" but couldn't find the right module name

Occasional Visitor

Unfortunately new-selfsignedcertificateex doesn't seem to work... it says "Windows XP and Windows Server 2003 are not supported!"

Microsoft

Ah - it used to work on the old PowerShell  cloudshell. I imagine it might be a compat issue that will eventually be resolved, but I guess at the moment it doesn't work. 

Occasional Contributor

Yes it did use to work in the old powershell, oh well not like its something I use everyday,  was confused about the extra "Ex" at the end of the cmdlet too.

New Contributor

has anyone tried certbot in Azure Cloud Shell?