Published on

Create pfx certificate file for Azure Web Apps from Cloudflare origin cert using openssl

Authors
  • Name
    Twitter

Every time I create a new project using Azure Web Apps or even IIS and I need to add a pfx file for end to end https, Cloudflare gives you a private key and certificate but you can't use those directly with Azure Web Apps and I keep forgetting how to do this exactly so as I do sometimes I'm going to post the steps so that it's helpful to others as well as future me.

Downloading origin certificates from Cloudflare

If you want to have Full strict end to end encryption using Cloudflare you need to install a certificate on your origin server

Cloudflare SSL/TLS settings page
Figure: Cloudflare SSL/TLS settings page showing Full (strict) encryption mode

To get this certificate is really easy, from the Cloudflare dashboard Click on SSL/TLS, Origin Server and then Create Certificate.

Cloudflare SSL/TLS Origin Server tab with Create Certificate button
Figure: Cloudflare SSL/TLS Origin Server tab with Create Certificate button highlighted

This will pop a dialog up that will give you some options, Private key type, a list of hostnames that you want the certificate to cover and the certificate Validity for this guide you can leave all the defaults and click Next. The reason it's ok to use the 15 year certificate is because this is effectively a self-signed certificate that only the Cloudflare servers are going to trust and is used for the sole purpose of end to end security, traffic should not be hitting this from anywhere else then Cloudflare, if you feel more comfortable selecting a shorter period you can go ahead, just know you will need to cycle the certificate more frequently. The edge certificate shown to your user will still rotate with a shorter validity period

Cloudflare Create Certificate dialog with default options
Figure: Cloudflare Create Certificate dialog with default options selected

After having clicked Next you will be presented with the following dialog, create a folder someone easy to navigate to on your machine, I used C:\\_tmp\certs

  1. Make sure PEM (Default) is selected in the droplist
  2. Save the Origin Certificate contents as the certificate.crt in the folder you created
  3. Save the Private key contents as the privateKey.key in the folder you created
  4. Click OK
Cloudflare Origin Certificate and Private Key dialog
Figure: Cloudflare dialog displaying Origin Certificate and Private Key for download

Now that we have the files on disk we can create our pfx certificate

Installing Ubuntu on Windows

If you are already on linux or already have a flavor of linux installed on your windows machine feel free to skip over this section. The only requirement here is openssl so if you have that through a different way feel free to use that too 😊

Head off to the Windows Store and search for and install the Ubuntu app

Ubuntu app in Windows Store
Figure: Ubuntu app available for installation in the Windows Store

This app will require that you have the Windows Subsystem for Linux enabled in Windows Features, if you have not enabled this yet you will be required to reboot your machine after enabling this feature.

Windows Features dialog with Windows Subsystem for Linux enabled
Figure: Windows Features dialog showing Windows Subsystem for Linux checkbox enabled

After a reboot when you open the app you will see it is initializing and after initialization is complete you will be asked to enter a username and password

Ubuntu initialization in Windows Terminal
Figure: Ubuntu terminal showing initialization process after installation
Ubuntu username and password prompt in terminal
Figure: Ubuntu terminal prompting for new UNIX username and password

You are all set to go, let's get moving with the actual reason for needing this installed 😅

Exporting a pfx certificate using openssl

This process is really quick, all that we need to do is navigate in the shell window to where our certificates are on the windows machine, your drives are mapped under the /mnt/ folder as each letter so to get to my folder from above I need to navigate to /mnt/c/\_tmp/certs and then we can run the opensll command in your shell window run the command below, note that when press enter you will be asked for a password for the pfx file and then asked to confirm the password

After this you should be able to run the ls command again and get an output similar to this

OpenSSL command output showing created PFX file
Figure: Terminal output after running OpenSSL command, showing the newly created certificate.pfx file

You now have a pfx file that you can upload into Azure or use in IIS or any other server that requires a pfx file with a password

Azure Web App SSL settings with PFX certificate uploaded
Figure: Azure Web App SSL settings showing the uploaded PFX certificate

Conclusion

Cloudflare is a great platform but when you are not setting up new sites every day or not super familiar with the tools available something as simple as setting up the origin certificate can take slightly longer then what is comfortable so we need cheat sheets like this post 😎

Enjoy and happy encrypted traffic

Discuss on TwitterView on GitHub