Blog Post

ITOps Talk Blog
1 MIN READ

How To Create a Self Signed Certificate in Azure using Cloud Shell

OrinThomas's avatar
OrinThomas
Icon for Microsoft rankMicrosoft
Apr 30, 2019

Often we need self signed certificates when spinning up test apps or other workload in Azure. Rather than mucking about with makecert.exe and uploading the relevant certificate files to Azure or configuring a temporary certificate from a CA that you are running, you can easily use Cloud Shell to create your own self signed certificate using the openssl command line utility.

 

In the following example you create a self signed x509 certificate called selfsigncert.crt and then export it as a file in pfx format. To do this, perform the following steps:

 

  1. Open Cloud Shell
  2. Enter the following code into Cloud Shell to create a self signed certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out selfsigncert.crt
  1. Provide the following information
  • Country Name (2 letter code) []:
  • State or Province Name (full name) [Some-State]:
  • Locality Name (eg, city) []:
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]:
  • Organizational Unit Name (eg, section) []:
  • Common Name (e.g. server FQDN or YOUR name) []:
  1. Export the certificate by running the following command in Cloud Shell
openssl pkcs12 -export -out selfsigncert.pfx -inkey privateKey.key -in selfsigncert.crt
  1. Provide a password for the certificate.
  2. Once you have the certificate files, copy them across to your clouddrive to ensure that the certificate files persist after you finish your cloud shell session. As clouddrive can be mounted as a file share, this allows you to import the certificate into running IaaS VMs should you so choose.
  3. You can copy the certificate files to the cloud drive with the following command:
cp * ./cloudrive/.

 

Updated Apr 30, 2019
Version 4.0
azure
security

10 Comments

Sort By
  • Ryan_McNeal's avatar
    Ryan_McNeal
    Copper Contributor
    Oct 28, 2023

    Balaji G There is a typo in the original post.  

    cp * ./cloudrive/.

     

    Should read:

     

    cp * ./clouddrive/.

     

  • Balaji G's avatar
    Balaji G
    Copper Contributor
    Sep 28, 2021

    Hi OrinThomas Tony Roth Guy Derenoncourt II thomaslevesque 

     

    Could you please help me below?

     

    Issue: I have ran the openssl command for self signed certificate in CLOUDSHELL. But unable to download file with pfx format in CLOUDSHELL

     

    Need assistance on file share - self signed certificate creation - file download from cloud shell - No such directory found

    ----------


    I have ran the following command to export certificate with .pfx and not able to download it

    Can you please help me with it?

     

    How to download pfx certificate in cloudshell?


    Storage account name: https://deletemlworksp.file.core.windows.net/azurefiletestcloudshelldelete/.cloudconsole

    command:

    ------

    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out selfsigncertwithpwd01.crt

    openssl pkcs12 -export -out selfsigncert.pfx -inkey privateKey.key -in selfsigncertwithpwd01.crt

     

     

    output

    ---

    PS /home/user1> cp * ./cloudrive/.
    /usr/bin/cp: target './cloudrive/.' is not a directory
    PS /home/user1> cp * ./user1
    /usr/bin/cp: target './user1' is not a directory
    PS /home/user1> cp * ./cloudconsole
    /usr/bin/cp: target './cloudconsole' is not a directory
    PS /home/user1> cp * ./cloudconsole/.
    /usr/bin/cp: target './cloudconsole/.' is not a directory
    PS /home/user1> cp * https://deletemlworksp.file.core.windows.net/azurefiletestcloudshelldelete/.cloudconsole
    /usr/bin/cp: target 'https://deletemlworksp.file.core.windows.net/azurefiletestcloudshelldelete/.cloudconsole' is not a directory
    PS /home/user1>

  • Tony Roth's avatar
    Tony Roth
    Brass Contributor
    Aug 15, 2019

    Yes it did use to work in the old powershell, oh well not like its something I use everyday,  was confused about the extra "Ex" at the end of the cmdlet too.

  • OrinThomas's avatar
    OrinThomas
    Icon for Microsoft rankMicrosoft
    Aug 15, 2019

    Ah - it used to work on the old PowerShell  cloudshell. I imagine it might be a compat issue that will eventually be resolved, but I guess at the moment it doesn't work. 

  • thomaslevesque's avatar
    thomaslevesque
    Copper Contributor
    Aug 15, 2019

    Unfortunately new-selfsignedcertificateex doesn't seem to work... it says "Windows XP and Windows Server 2003 are not supported!"

  • OrinThomas's avatar
    OrinThomas
    Icon for Microsoft rankMicrosoft
    Aug 14, 2019

    thomaslevesque If you have powershell loaded in Cloud Shell (pwsh) and run the following to import the PSPKI module from the Azure Gallery

     

    PS Azure:\> install-module -name pspki

    you then get access to new-selfsignedcertificateex

     

     

  • Tony Roth's avatar
    Tony Roth
    Brass Contributor
    Apr 30, 2019

    And if you are a powershell person you'd start a powershell shell then do new-selfsignedcertificate!

     

    https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps