Generating and using a certificate to authorise Azure Automation
This blog is an addendum to Richard's recent post about using Azure Automation to run VMs during office hours only.
As Richard explains, you can use Azure Automation to create runbooks which contain PowerShell Workflows with the functionality you want to implement (e.g. starting and stopping a virtual machine or cloud service), and link those runbooks to Schedules so that they get automatically run at pre-defined times.
Azure Automation runbooks need some form of authorisation to make changes to other Azure services in your subscription. One way to achieve this is to use a management certificate in your Azure subscription, and provide the runbooks with a private key, in the form of a .pfx file generated from the certificate, which is saved as an asset in the Azure Automation service. The automation service's scripts use the key to ask Azure to do something like stop a VM, and Azure verifies that is allowed by using the certificate in the subscription.
This blog describes how to create and use a certificate to authorise Azure Automation workbooks, providing a condensed version of the steps outlined in the Technet blog Managing Azure Services with the Microsoft Azure Automation Preview Service.
An alternative method of authorising Azure Automation runbooks is to use Active Directory, as described by Joe Levy on the Azure site, or, to restrict the permissions for the AD user, using the workflow outlined by David Ebbo in his blog Automating Azure on your CI server using a Service Principal. I'll cover this in a later blog.
Generating and using the certificate
1. Generate a .cer certificate file using Make Cert
The Windows Software Development Kit for Windows 8 includes the Certificate Creation Tool, MakeCert.exe. If you don't have this SDK, you will need to install it.
If you are using Windows 8.1, entering the following command in the command prompt will generate a self-signed certificate using MakeCert. The certificate name should be changed in both places:
You might also want to set the start and end validity periods for the certificate, using the -b (beginning) and -e (end) options.
If this runs correctly, you will see the message "Succeeded". A certificate will be created, a .cer file for the certificate will be written to your current directory, and the certificate will be saved to the machine's certificate store.
What are all the options?
According to the MakeCert docs on MSDN and the MSDN forums:
The –sky option lets you specify the way the certificate will be used, using the argument 'exchange' if it can be used to sign AND/OR encrypt a payload, and 'signature' if it can only be used to sign a payload
The –r option specifies that a self-signed certificate should be created.
The –n option specifies the certificate name, which is preceded by CN=. CN is short for 'Canonical Name'.
The –pe option marks the generated private key as exportable. This allows the private key to be included in the certificate.
The –a option specifies the algorithm. sha384 and sha512 are also available.
-len is self-explanatory – the length of the generated key in bits.
The –ss option specifies the certificate store that stores the output certificate. In this case the certificate is added to your machine's default Personal certificate store, as indicated by the 'My' argument.
2. In the Azure portal, upload the .cer file to the subscription
In the Azure portal, select the subscription that you want to create the Azure Automation service in. Then, click on Manage Subscriptions/directory.
Click on the Management Certificates tab.
Click Upload, and browse to the .cer file on your machine.
If you have access to multiple subscriptions and did not choose a subscription earlier, you will be offered a drop down list of subscriptions to upload the certificate into at this point.
3. Generate a .pfx file with a private key for the certificate
Back on your machine, the next step is to create a file with a private key for the certificate, which the Automation Service can use. This takes the form of a .pfx file.
This process can be carried out using PowerShell.
To generate a .pfx file, you will need to choose a password, and keep a note of it during the process - you will need it again when you upload the .pfx file to Azure Automation.
Run PowerShell as an administrator, entering the following commands with the password and certificate name changed as appropriate.
The .pfx file will be generated in your C: drive.
Alternatively, the .pfx can be generated using the Certificate Manager GUI as described in Managing Azure Services with the Microsoft Azure Automation Preview Service.
4. Upload the .pfx file into the Azure Automation service
Finally, back in the Azure portal, in the Azure Automation service, you can add the .pfx file as an asset, as described in Richard's blog.
You will need to enter the password that you used when you generated the .pfx file..
5. Tidy up
Finally, once everything is uploaded to Azure, to make sure all this sensitive info is in as few places as possible, you might want to delete the .cer files and .pfx files from your machine, and remove the certificates you generated from your machine's My certificate store.
Resources
Managing Azure Services with the Microsoft Azure Automation Preview Service
Create and Upload a Management Certificate for Azure
Update: Thanks to @blowdart for providing further info on MakeCert best practices.
Sign up to the Azure Weekly to receive Azure related news and articles direct to your inbox or follow on Twitter: @azureweekly