How to create a certificate authentication with Azure Management Service

In order to carry out any management tasks in Azure using an agent (Visual Studio or any custom code), it should authenticate itself with Azure. Requests to the Azure Management API should be authenticated using on of the following methods.

  • Active Directory
  • Certificate Authentication

This article covers the certificate authentication. Azure Management Service (AMS) APIs require a X.509 certificate for the authentication. For the development purpose we can create a sample certificate in our machine using the following command line. Make sure you open the Visual Studio command line in administrator mode to execute this.

makecert -sky exchange -r -n "CN=<CertificateName>" -pe -a sha1 -len 2048 -ss My "<CertificateName>.cer"


This creates the certificate in the local machine under the Personal Certificates since I have specified “My”as location.

Open the Certificate Manager in your local machine (enter certmgr.msc in the Run). You can check for your new certificate.



We should upload this certificate to Azure to establish the trust and each and every API request should contain the certificate. Certificates are saved in Azure under subscriptions thus they are used to manage the subscription owner actions. Each subscription can contain up to 100 certificates as of this writing.

Export the certificate from certificate store, as a .cer file. Follow the screen shots below.

image image image image image

Once you have exported the certificate, next step is to upload it to the Azure subscription. Login to the Azure select the correct directory if you more than one under your login and select the correct subscription to which you need to upload the certificate. Then go Settings and go to Management Certificates tab, there you can upload your certificate.

After uploading the certificate you can view it in grid like this.



To summarize what we’ve done up to now,

  • We need establish a trust between Azure and the subscription agent via certificate authentication.
  • Subscription agent is the party / tool which programmatically carries our the tasks of a subscription owner.
  • First we generated a local certificate using certmgr.msc
  • We exported the certificate and put it in the Azure management certification store.
  • So now any subscription agent with the certificate can perform the subscription ownership tasks (using Azure Management API) thus authenticating using the certificate.

The below C# code shows how to retrieve the certificate from your local store by providing the thumbprint.

   1: public X509Certificate2 GetStoreCertificate(string thumbprint)

   2: {

   3:     List<StoreLocation> locations = new List<StoreLocation>

   4:     {

   5:         StoreLocation.CurrentUser,

   6:         StoreLocation.LocalMachine

   7:     };


   9:     foreach (var location in locations)

  10:     {

  11:         X509Store store = new X509Store("My", location);

  12:         try

  13:         {

  14:             store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);

  15:             X509Certificate2Collection certificates = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint,false);


  17:             if (certificates.Count == 1)

  18:             {

  19:                 return certificates[0];

  20:             }

  21:         }

  22:         finally

  23:         {

  24:             store.Close();

  25:         }

  26:     }


  28:     throw new ApplicationException("No Certificate found");

  29: }

The above code tries to get the certificate from the Personal certification location, as the parameter “My” has been passed to the X509Store constructor.

After obtaining the certificate, you should pass it through each and every Azure Management API request whether you use the REST API or any language SDK.


1 thought on “How to create a certificate authentication with Azure Management Service

  1. Pingback: How to create Azure Storage account programmatically .NET SDK | Thuru's Blog

Comments are closed.