Creating a Self-Signed Certificate for Windows Azure Online Backup

Share on facebook
Share on twitter
Share on linkedin

When initially setting up new Recovery Services on Windows Azure for the Azure Online Backup service, you are asked to provide a certificate that will be used to manage the identity of the servers allowed to back up to the specified vault. You have the option to either purchase a certificate, or create a self-signed certificate.

We found that the default instructions provided for creating a self-signed certificate are incomplete. If you create a self-signed certificate with an expiration date over 3 years, Azure will reject your certificate, but not tell you why.

To have your self-signed certificate accepted by the Azure Online Backup service, you must specify an expiration date of less than 3 years, and include the other parameters in the example below. Replace the highlighted sections with the information specific to your certificate:

makecert.exe -r -pe -n CN=CertificateName -ss my -sr localmachine -eku 1.3.6.1.5.5.7.3.2 -len 2048 -e 01/01/2016 CertificateName.cer

For better instructions and details on managing certificates for the backup service, we recommend referencing the following page found on the MSDN web site:

Recovery Services: Upload Certificates to the Vault

More to explore