I received an email from Hanselman this week, a forward of an email he received after posting his [much-appreciated and far too kind] blog post on WAML. The email was from a community member experiencing a behavior when trying to use WAML to create web sites (or manage their existing sites) from code running on the server side from another Windows Azure Web Site. I can imagine lots of user stories when a Web Site could be used with WAML:

  • I’m a software-as-a-service application business owner. I want to give users a form that, once filled out and submitted, will take user input and create a new web site and copy my application’s code into their web site
  • My web application needs to create a storage account when it first starts up
  • My web application needs to create a SQL Database when it first starts up

Automation isn’t limited to the desktop. With WAML you can pick and choose which areas you need to offer and install the appropriate NuGets and get up and running quickly. There are a few caveats, however, mostly deliberate design decisions based on the basic ideas of cryptography and data integrity. I spent a few hours this week talking to my good friends in the Web Sites team, along with my own awesome team in Azure Developer Experience, to work through some certificate-loading problems I was seeing in Web Sites. The ability to use a management certificate is pretty important when programming against WAML (yes, AAD support is coming soon in WAML). I’ve seen a few different forums mention similar issues. Given WAML makes use of certs, and sometimes using certs on the server side in the Web Site can be a little tricky, I thought a walk-through was in order.

How Meta. A Web Site that Makes Web Sites.

I’ve created a Visual Studio 2013 solution, with an ASP.NET project in the solution, that I’ll be using for this blog post. The code for this site is on GitHub, so go grab that first. The code in the single MVC controller shows you a list of the sites you have in your subscription. It also gives you the ability to create a new site. The results of this look like the code below.


Here’s a snapshot of the code I’m using in an MVC controller to talk to the Windows Azure REST API using WAML.

There are a few areas that you’ll need to configure, but I’ve made all three of them appSettings so it should be relatively easy to do. The picture below shows all of these variables. Once you edit these and work through the certificate-related setup steps below, you’ll have your very own web site-spawning web site. You probably already have the first of these variables but if you don’t, what are you waiting for?


Once your Azure subscription ID is pasted in you’ll need to do a little magic with certificates. Before we get to all the crypto-magic, here’s the method that the controller calls that prepare WAML for usage by setting up an X509Certificate.


I’d been using a base 64 encoded string representation of the certificate, but that wouldn’t work on top of Web Sites. Web Sites needs a real physical certificate file.Which makes sense – you want for access to your subscription to be a difficult thing to fake, so this configuration you have to go through once to secure the communication? It’s worth it. The code below then takes that credential and runs some calls to the WebSiteManagementClient object, which is a client class in the Web Sites Management Package.


This next part is all about cryptography, certificates, and moving things around properly. It’s not too complicated or deep into the topics, just a few steps you should know just in case you need to do this again.

Don’t worry. If it were complicated, you wouldn’t be reading about it here.

Creating a Self-Signed Cert and Using the PFX and CER Files Properly with Web Sites

I’ll run through these steps pretty quickly, with pictures. There are many other great resources online on how to create certificates so I’m not going to go into great detail. This section has three goals:

  1. Create a self-signed certificate
  2. Create a *.CER file that I can use to upload to the Windows Azure portal as a management certificate
  3. Use the *.PFX file I created on the way to creating my *.CER file on my web site

To create the self-signed cert open up IIS Manager (some would prefer to do this using makecert.exe) and click the Server Certificates feature.


Then, click the Create Self-Signed Certificate action link.


You get to walk through a wizard:


Then the new certificate will appear in the list:


Select it and click the Export action link:


Now that you’ve got the PFX file exported, it’d be a good time to drop that into the web site. Drop the PFX file into the App_Data folder…


Once the .PFX is in the App_Data folder, copy it’s location into the Web.Config or in the portal’s configure tab.


Double-click the PFX file. Run through the subsequent steps needed to import the PFX into the personal certificate store. Once the wizard completes you’ll have the certificate installed, so the final step will be to export it. Open up your user certificates tile. I always find mine using the new Modern Tiles method.


Open up the file in the user certificate manager, and select the new certificate just created. Select the Export context menu.


Select the DER option. This is when you’ll output a CER file that can be used as your management certificate in the next step.


Save the output *.CER file on your desktop. With the PFX file set up in the web site and this file created, we’re almost finished.

Uploading the Management Cert to the Portal

With the CER file ready, all one needs to do to upload it is to go to the Management Portal. So long as the web site you’re running WAML in is trying to access resources in the same subscription, everything should work. Go to the management portal, select Settings from the navigation bar, and then select the Management Certificates navigation bar.Click the Upload button to upload the *.CER file only. NOT the PFX, yet!


Once the CER is uploaded it’ll appear in the list of management certificates.


With those configuration changes in place, I can finish the configuration by adding the password for the PFX to the Web.Config file. This part isn’t perfect, but it’s just to get you started with the difficult connecting-of-the-dots that can occur when embarking on a new feature or prototype.


Deploying the Site

The last step, following the configuration and certificates being set up, is to deploy the site. I can do that from right within Visual Studio using the publish web features. Here, I’m just creating a new site.


Once the site deploys and loads up in a browser, you can see what capabilities it’ll offer – the simple creation of other Azure Web Sites.



This article covers more how to prepare a web site with the proper certificate setup and contains code that explains the actual functional code. I’d welcome you to take a look at the repository, submit questions in the comments below, or even fork the repository and come up with a better way, or to add features, whatever you think of. Have fun, and happy coding!


Comment by Ryan

Fabulous! you cant imagine just how good the timing on this post is! :)

Comment by Ilija

Very cool! I love the creativity in this blog-post. It shows the real power and flexibility of Azure. Thanks!

Comment by Daniel

Is there a way to OAuth into the credentials, etc. needed to use the management API? For example, if you were to want to write a website that provides some additional management capability as a service. You'd want people to sign up and "authorize" your app to manage their azure account...

Comment by brady gaster

Daniel - no, not at this time. We are working on authentication options that'd use bearer tokens, specifically for Active Directory.

Are you proposing a situation wherein I would grant (for example) Twitter to access my Azure resources, so you could log in using your Twitter account to manage your Azure services? OR, are you proposing that Active Directory tenant applications who have been granted access to the Windows Azure REST APIs be granted access, then allow authentication to flow through AD?

Just making sure I grok your desire. :)

brady gaster
Comment by Scott Prokopetz

Great article Brady, I was going to investigate creating Azure Websites using the Azure API myself but you thankfully saved me hours of research, trial and error. Thank you!!! One question though, and I'm sure the answer is obvious, but instead of creating a certificate could we just use an SSL certificate we purchase from a certificate authority and use that? That would also solve the issue if we wanted to put payment processing in step before the website creation, correct?

Comment by brady gaster

Scott, I don't think you can do that. I will need to check with the team to verify but I'm pretty sure there's no way to just use the SSL cert you have for auth'ing.

brady gaster
Comment by Ryan Riley

I keep getting the following error when trying to access "eastuswebspace" when running in the F# interactive window:

> let res = client.WebSpaces.ListWebSites("eastuswebspace", parameters);;
System.FormatException: String was not recognized as a valid Boolean.
at Microsoft.WindowsAzure.Management.WebSites.WebSpaceOperationsExtensions.ListWebSites(IWebSpaceOperations operations, String webSpaceName, WebSiteListParameters parameters)
at <StartupCode$FSI_0023>.$FSI_0023.main@()
Stopped due to error

If I run within a console application, everything works fine. Do you happen to know why what might cause something like this? It seems unusual.

Comment by brady gaster

Not sure. Have you auth'ed properly using the F# console? Mind shooting me an email with more details? I'm not an F# guru, but I'll spin this up with a few teammates to see if we can come up with a good solution. Or, submit a detailed description of the problem (the more detail the better) in the SDK repository's issues list. The latter would provide better tracking of the item.


brady gaster
Comment by Sebastian

Great article!
Is it possible at the moment to create a website from an exsisting gallery app (like Wordpress or Joomla) with WAML?

Comment by brady gaster

Sebastian -

No, not at this time. Your comment came on the same day as an internal IM with the same question, ironically. I took this as a sign, emailed the team who owns the gallery, and now we have some planning to do together.

Thanks for the inspiration!

brady gaster
Comment by MCKLMT


Is it possible to authenticate to PowerShell cmdlets using the same way (pfx)?
Do you have a sample, maybe?


Comment by brady gaster

MC - I don't. @guayan might. We got to talking about this via Twitter, and as Mr. Ebbo pointed out, you could write a C# app that'd use WAML to do what you want, but I don't think POSH is an option for you.

brady gaster
Comment by jason

Hi Brady,
I tried the code in github with my own Azure Subcription ID, pfx. It works pretty well locally with localhost, the new website was created successfully and all websites under my Azure account are listed too. However, When the project is deployed to Azure, it can't open the pfx file. Does Azure website has more security permission than a localhost? Do you have similar problem?

The website throws exception below. The pfx file is uploaded successfully and verified by ftp.
[CryptographicException: The system cannot find the file specified.
System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) 33
System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle

Comment by jason

Fixed it by adding another parameter: X509KeyStorageFlags.MachineKeySet in X509Certificate2 constructor. Thanks
new X509Certificate2(certPath,

Comment by MCKLMT

Seems it needs more than X509KeyStorageFlags.MachineKeySet only.
X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable works in my case.

Comment by Wynn

Amazing, great and damn helpful, works like a dream. Only one question can you point me in the direction of creating custom content instead of the "This site has been successfully created..." page?

Comment by Wynn

Is it possible to associate a git account with the website at the point of creation so that it is immediately populated with real website content?

Comment by Brady Gaster

That's the point of the setup. You could use the mgmt libraries to establish an internal git repository and then you could push up to it. There's also a new API method out there for "external git repositories" but i don't know if that's rolled up into the MAML libraries yet. I have some code to look at over the weekend that does what you want, once I peek into it I'll get back to you on it.

Comment by Wynn

Really appreciate that Brady, been struggling all day on this one. Look forward to you getting back to me. Thanks in advance.

Comment by cris

Hi Brady, aweasome post.
I am trying to create / publish an empty website from powershell for all my existing tenant subscription on windows azure pack. How can i push a new empty website for each one of them?

Comment by Brady Gaster

cris - shoot me an email and we'll discuss with some colleagues, that'd be more PowerShell than MAML, so let's get you to the right folks. bradyg, and i work at microsoft, so the suffix should be easy to grok. :) hope to hear from you.

Comment by Ken Woghiren

Thanks Brady - I'd been struggling with for days! Just wish I'd found your post earlier!


Comment by ahmed lutful zamil

Thanks.............wish I'd found your post earlier!Thanks again.

ahmed lutful zamil
Comment by Brian Lakstins

I created a project based on the Visual Studio 2013 Community Edition template project Visual C#/Cloud/QuckStarts/Deploy and Manage Web Sites.
When I dug into it, I realized that the .publishsettings file was just being used to get the SubscriptionId and the Base64 encoded ManagementCertificate.

I updated the code to be the bare minimum (function that takes WebSpaceName, WebSiteName, SubscriptionId, and ManagementCertificate) and it works fine as a console app (to restart a web site).

I use the same code in an ASP.NET app running on the same system (my development system), and my Azure management portal Operation Logs shows a "started" followed by a "failed". The process seems to go into la la land. Nothing shows in the debugger while the call to WebSiteManagementClient.WebSites.Restart does not end within about the 5 minutes I was willing to wait.

I would think that if the process needed a self signed file based management certificate, that I would get some access denied type message in my application and that nothing would show in my Azure management portal Operation Logs. The security requirement for a certificate to be in a file on the server seems a bit odd to me. Is it still really a requirement? Do I need to create my own certificate for this process to work, even in a development environment?

Brian Lakstins
Post comment