HTTPS Acceleration Service – Certificates applied for by Azure Content Delivery Network
The Azure CDN provides HTTPS secure acceleration services that support certificates uploaded by the user and the automatic configuration of certificates applied for by the Azure CDN, with both types only available to paying users.This article discusses details on how to configure the Content Delivery Network to apply for certificates for you. For information about how to configure user-uploaded certificates and explanations for certificates, see Azure Content Delivery Network HTTPS Acceleration Services – User-supplied certificates.For more information about the differences between the two, see Service Consulting FAQ.
To apply for access: Contact the Azure technical support team.You will need to provide the Azure subscription ID that you want to use the HTTPS acceleration service for.
Self-service creation: After the Azure Content Delivery Network team receives and approves your access request, the team will enable the HTTPS acceleration service for the Azure subscription that you provided.You can then sign in to the Azure portal to complete the self-service creation process.Refer to the instructions for the self-service creation process.
SSL certificate application and configuration: After your configuration request is received, the Azure Content Delivery Network team will apply for an SSL certificate on your behalf. For more information about certificate types, see the notes at the end of this article.
The application and configuration process for this certificate takes approximately five business days.You will also need to cooperate during the application process, so that the certificate issuer can confirm ownership of the domain name.This article discusses the confirmation process in greater detail later.
When the configuration is finished and takes effect: After the configuration process is complete, you can complete the final setup of the canonical name (CNAME) record as you would to create services with other types of acceleration.Finally, you can complete any other associated management and configuration tasks through the unified Azure Content Delivery Network portal.
After you have finished creating the HTTPS acceleration type in the Azure portal, select the Management button, as shown in the following image, to jump to the Azure Content Delivery Network portal to complete the subsequent access procedure.
In the Azure Content Delivery Network portal, under Domain name management, select the HTTPS acceleration domain name that you need to configure, and then select View HTTPS configuration status.
You will then be able to see the five steps that are required to complete the whole HTTPS access configuration process.In Step 2: “Submit certificate application,” the interface prompts you to provide the following additional information:
Estimated bandwidth: Specify the estimated peak bandwidth that's required.
Estimated average file size: Specify the estimated average size of the files for which cache acceleration is required.
Acceleration demand time: Specify whether the demand for HTTPS acceleration is long term or short term.
Access port for client access to CDN node: Specify how the client that you want to enable will access the CDN node.
1) Activate only HTTPS access (with HTTP access prohibited)
2) Activate both HTTP and HTTPS access
3) Make HTTP access always jump to HTTPS access
Return-to-source port for CDN node access to the source station: Specify how the CDN node can achieve return-to-source access.
1) Use only HTTP return-to-source
2) Use only HTTPS return-to-source
3) Use both HTTP and HTTPS return-to-source
Test URL: Enter a URL that can be used subsequently to check access.Make sure that this URL on the source station is accessible.
After you have filled out all the relevant information for the previous step, press the Confirm button to complete the operation.To view the HTTPS configuration status again later:
After the Azure Content Delivery Network service provider’s backend confirms all the submitted information and has submitted the official certificate application to the certificate issuer, you can proceed to the interface for Step 3, as shown in the following image:
In this next step, which is the most critical step in the certificate application process, is when the user needs to confirm ownership of the domain name.As the Azure Content Delivery Network service provider submits the certificate application to the certificate issuer on the user’s behalf, the certificate issuer confirms domain name ownership with the user during this process.To confirm ownership, the domain name owner must complete final confirmation in the manner that’s specified in the email sent by the domain name issuer.
There are two ways to receive the email:
1) Default method: After the certificate issuer receives the request, the certificate issuer sends the domain name confirmation email by default to the email address that’s associated with the acceleration domain name as soon as possible. See the previous image for details.If you choose to obtain the confirmation email by this method, you can press the Confirm button to go directly to the next step.
2) DNS TXT method: If you are unable to sign in to the email account for the default method to complete confirmation of the domain name ownership, you can complete the confirmation process by creating a DNS TXT record, as shown in the following image.This method might take a little longer to complete.
After you have created the DNS TXT record, you can use the following command for verification in the Windows operating system: nslookup -qt=txt www.cdn.test.com
Next, as with the default method, the user can sign in to the mailbox that’s specified in the DNS TXT record to complete the subsequent domain name ownership-verification process.
After you have confirmed that you successfully created the corresponding DNS TXT record in this step, select “Confirm” in this step to continue to the next step.
The user can complete the domain-name ownership-verification process by accessing the email.
After the Azure Content Deliver Network backend confirms the method that you have chosen to receive the confirmation email, you will see the following interface:
You can now proceed to the corresponding email account to finish the verification of domain name ownership.
Email subject: Please validate ownership of your domain www.cdn.test.com -- DigiCert order 00123456
You must click on the confirmation link in the email to complete confirmation of domain name ownership.
After this, select Complete in the interface for Step 4 to finally complete confirmation of the entire domain name.
Next, the entire configuration process moves into the final step, as shown in the following image:
In this step, after the Azure Content Delivery Network back end receives the corresponding certificate from the certificate issuer, it will take a certain amount of time to complete the final configuration tasks. After this, you will see the final completion interface:
Finally, you can complete the CNAME configuration process through your domain name service provider just as you would to create accelerated domain names with other acceleration types. You direct the user-defined accelerated domain name to the Content Delivery Network domain name that's provided by the Azure Content Delivery Network platform, which should have an extension similar to .mschcdn.com. This completes the configuration.
About the SSL certificates
The SSL certificate type that is used is a SAN multi-domain name certificate (SAN/UCC SSL):
Subject alternative name (SAN) certificates are also known as unified communication certificates (UCC).With SAN SSL certificates, you can add multiple domain names or server names that need protection within the same certificate.This feature provides a great deal of flexibility. You can create an SSL certificate that is not only easy to use and install, but it is also more secure than wildcard SSL certificates. The certificate is also perfectly suited to your server security requirements.
Certificate issuer: https://www.digicert.com/
The Azure Content Delivery Network will apply for, install, and maintain the SSL certificate on your behalf.
You can view information about charges for Content Delivery Network HTTPS acceleration nodes and other Content Delivery Network acceleration nodes, can be viewed through the correspondingAzure account portal(https://account.windowsazure.com). The information is summarized below the corresponding Azure subscription.
CDN HTTPS pricing
The Azure CDN HTTPS acceleration service is currently included in the premium version. See the official Azure website for details about pricing and charges.