About Azure Publish Settings Files and Certificates

During the Windows Azure SDK release a year ago Microsoft had introduced a new feature to make the programmatic access to Azure easier called publish settings file. Using management certificates by specifying the subscription IDs has always been the way to programmatically access the Azure environment.

In order to programmatically access Azure services, one has to generate a management certificate locally, keeping the private key local and uploading the public key to the “Management Certificates” section of the portal. Some customers of Azure may find this approach a little bit cumbersome, and not so trivial to implement. Microsoft, to make this easier rolled out this feature called Publish Settings File. Basic promised workflow is like this:

  1. Point to https://windows.azure.com/download/publishprofile.aspx to download a publish settings file – A management certificate *per subscription* is created on the server side and the PFX is serialized in a Base64 string into an XML file.
  2. Download and save the file
  3. Refer to it in your Azure PowerShell scripts or Node.js command line tools

Even though this makes a great demo showcase it created some interesting side effects. If you are making a demo, and happen to have one single Azure subscription, and only you have access to that only during the demo, you will not notice the issue. However in real life people work on the same subscription for a longer time, in team scenarios, multiple people work on the same subscription, and also mostly people have access to multiple subscriptions.

Currently Azure has a limit on the number of management certificates one can have on a subscription, which is 10. So imagine the case if you and/or other members of the team are downloading the publish settings file. That will create unnecessary management certificates, with no other way to download, if you delete the publishsettings file as recommended by some tutorials out there.

So what is the solution? Do we need the file in the first place? If you are not using the node.js command line tools, you do not need it actually. You will simply create a management certificate once, and for the whole team on a subscription and distribute the PFX file after uploading the CER to the management portal as the management certificate. Here is what we use to generate the cert:

Once you generated, uploaded and distributed the certificate, you can use it in your PowerShell scripts as:

Leave a Reply