Windows Azure: Add Your Own Management Certificate

Published on Monday, September 3, 2012 in

Recently I figured out that I can try out Azure as that comes as one of the benefits of having an MSDN account. I got 375 hours of free computing hours per month! Just for the fun of it I want to host a small VM which acts as a TeamSpeak server every now and then. I guess that’s not really what the Azure subscription is meant for in the MSDN package, but hey I’m experimenting and getting to know the possibilities of Azure in the meanwhile! Guess that’s a Win-Win right?

Either way, because I only have 375 hours that means I can’t have my VM deployed 24/7. I wrote some simple PowerShell scripts which basically remove the VM, leaving the VDH intact and recreate it whenever I want. That might be another blogpost if I find some time. But now I want the possibility to have my colleagues power it up whenever I’m not around. The following options were not OK:

  • Be on duty 24/7 with an internet connection at hand
  • Hand out my live-id to everyone

So here comes the, be it limited, delegation capabilities of the Windows Azure management infrastructure: it seems you need your live ID to log in via the web interface. But for the PowerShell cmdlets you can actually have up to 10 certificates! So here comes how to start toying around with that part of Azure.

Remark: I only used the Get-AzurePublishSettingsFile cmdlet as explained on Windows Azure Cmdlet Guidance for my initial Azure PowerShell configuration on my home PC. However it seems like if you run the command again it will just generate another Windows Azure very long name –date-credentials management certificate. So in the end you got no clue to who you handed out which certificate.

So here we go:

1. Generate a new certificate

Using Visual Studio’s makecert utility I created my own certificate, for a detailed howto: How to Create a Certificate for a Role

The command I used: makecert -sky exchange -r-n "CN=[CNF]Invisibal" -pe -a sha1 -len 2048 -ss My "o:\SkyDrive\Documenten\Personal\Azure\Invisibal.cer"

2. Upload the .cer file in the Windows Azure management portal


3. Export your certificate from your local store and store it somewhere safe

The makecert command created a .cer file which is good for the upload,  but you have to make sure that from whatever computer you want to run your Azure PowerShell cmdlets you have the certificate with the private key available. So as in my case I created the certificate on my own PC, and I want my colleague to be able to connect to the Azure management API using PowerShell, I have to export the certificate (including the private key) and hand it over to him.

To export the certificate:

Start –> Run –> MMC –> Add/Remove the certificate snap-in, choose user



4. Download and configure the Azure PowerShell cmdlets

You can download the cmdlets from here: Downloads for managing Azure

After starting the shell and trying out a simple command you will be greeted with an error:


In words: Get-AzureVM : Call Set-AzureSubscription and Select-AzureSubscription first.

After some trial and error I found the following in one of the help sections of a cmdlet.

5. Retrieve your Azure subscription ID

You can get it either from the account section (where you get to see the usage & billing information) or just copy it from the Management Certificates section where you just uploaded a certificate:


Just copy paste it in a temporary notepad file.

6. Retrieve your certificate thumbprint

From a PowerShell prompt execute get-item cert:\\currentuser\my\*


Also just copy paste it in a temporary notepad file.

7. Start up the Azure PowerShell shell and start the magic

You can now easily copy the SubscriptionID ($subID) and the Thumbprint ($thumbprint) from the tempory notepad into the required variables.

$subID = "af2f6ce8-demo-demo-demo-dummydummyd3"
$thumbprint = "01675217CF4434C905CF0A34BBB75752471869C6"
$myCert = Get-Item cert:\\CurrentUser\My\$thumbprint
Set-AzureSubscription -SubscriptionName "CNF_TS" -SubscriptionId $subID -Certificate $myCert

This should command should also persist between sessions. Meaning if you restart the shell, it will still be available and you can go ahead and start executing cmdlets right away.

8. You’re good to go!


Well just when I was about the wrap this up I found this great article: it covers most of my stuff and way more. Definitely worth reading: Automating Windows Azure Virtual Machines with PowerShell

Related Posts

No Response to "Windows Azure: Add Your Own Management Certificate"

Add Your Comment