Installing / Renewing SSL certificate for Windows Azure

Today I had to do one of my least favorite things in web development: install an SSL certificate.  And even worse than usual, this is my Monster Cache certificate so it needs to go on Windows Azure.  I guess I mainly don't like it because there are a lot of steps and I don't do it often, so its easy to forget the process.  And there are event more steps for Azure.  And often something goes wrong which means I have to call GoDaddy, where I buy my certificates.  Such was the case today.  So I wanted to document all the steps for when I have to do this again in two years.

By the way, big thanks to Avkash Chauhan's Blog for this post that got me through installing an SSL certificate in Windows Azure the first time.  This time I was renewing the certificate so some of the steps were a little different for me, so that's why I'm making another list.

1. Open IIS 7.  This can be on any machine with IIS7.  I use the IIS7 on my Windows 7 development machine.
2. Go to the Server Certificates section
3. WARNING: Here is where my problems were today.  Even if you have an existing certificate and you are renewing it, do not click on your existing certificate and choose "Renew...", at least if you are getting your certificate from GoDaddy.  The CSR that is generated for a renewal is not accepted by GoDaddy.  You'll see that it is about twice as long as a CSR for a new certificate, or as the GoDaddy support person said "Using renew puts a bunch of extra code in there that can't be recognized".  So whether you're renewing or creating a new one, choose "Create Certificate Request".  You'll have to enter your company data.  I always use 2048 bits, I think GoDaddy requires it.  Then save the resulting file as a .csr somewhere.
4. On GoDaddy (or other CA), purchase your certificate for however many years you want.
5. When asked to enter your CSR, paste your ENTIRE CSR file contents into the CSR request text box.  Continue through rest of steps until certificate issuance is Pending.
6. On the "Manage Certificates" tab of the "Secure Certificate Services", download the certificate when its ready by checking the checkbox and clicking Download.  (It only takes a minute or so to go from Pending to Current, just hit Refresh occasionally.) Save .zip file to same folder as your .csr file
7. Unpack zip file
8. Go back to IIS7 and click "Complete Certificate Request". It will ask you to browse to the response file.  Select the .crt file that was in the zip file.  Choose whatever you want for a friendly name, but if you're renewing, then make sure that your new friendly name is different from your original.
9. Now you have a certificate installed on your local IIS.  Right click on it in the certificate list and choose "Export...".  Save it as a .pfx file in the same location as your other files and make up a password for the exported file.
10. This blog post details how to tell your Azure project about your new certificate and how to upload the certificate to your Azure Developer Portal.  I can't improve on that post, but I will say that:
    • I did NOT follow step 7.  And I did not do the verification in steps 8 and 9 either.
    • After logging into the developer portal, it was hard to find the place to upload the certificate.  I found it by going to "Cloud Services" on the left, then clicking my service name on the right, and then "Certificates" was at the far right of the horizontal navigation that appeared on the introduction page.
11. Now all you have to do is publish your project!
12. There's one last step in Avkash's blog about setting up the CNAME records if you haven't done that yet.  He links to this blog for those instructions.

Whew, that's it!  Thank goodness I don't have to do it again for two years. Maybe I should have bought even more years though, two years sounds too soon.