You need to ensure that the certificate used to encrypt data can be accessed by the cloud service application

You manage a cloud service that utilizes data encryption.
You need to ensure that the certificate used to encrypt data can be accessed by the cloud service
application.
What should you do?

You manage a cloud service that utilizes data encryption.
You need to ensure that the certificate used to encrypt data can be accessed by the cloud service
application.
What should you do?

A.
Upload the certificate referenced in the application package.

B.
Deploy the certificate as part of the application package.

C.
Upload the certificate’s public key referenced in the application package.

D.
Use RDP to install the certificate.

Explanation:
The developer must deploy the public key with their application so that, when Windows Azure spins up
role instances, it will match up the thumbprint in the service definition with the uploaded service
certificate and deploy the private key to the role instance. The private key is intentionally non-exportable
to the .pfx format, so you won’t be able to grab the private key through an RDC connection into a role
instance.
Field Note: Using Certificate-Based Encryption in Windows Azure Applications



Leave a Reply 2

Your email address will not be published. Required fields are marked *


Jack

Jack

A

Your deployment package has been updated to use the certificate, and an HTTPS endpoint has been added. Now you can upload the package and certificate to Azure with the Azure classic portal.

Iain

Iain

C

The explanation given here says
“The developer must deploy the public key with their application so that, when Windows Azure spins up role instances, it will match up the thumbprint in the service definition with the uploaded service certificate and deploy the private key to the role instance.”
https://azure.microsoft.com/en-us/blog/field-note-using-certificate-based-encryption-in-windows-azure-applications/

The Service already has the private key from the installed certificate and it needs to have the corresponding public key on hand to encrypt data with, to allow it to send correctly encrypted data to the incoming connections (who presumably already have the public key installed).