How to create an ECC SSL that will import / activate in Azure-CDN to pass PCI Compliance

Lon Hammonds 20 Reputation points
2023-07-07T20:12:07.66+00:00

According to this post about Included CA Certificate List (search for "EC8A396C40F02EBC4275D49FAB1C1A5B67BED29A"), I should be able to use a certificate from Sectigo which is an ECC SSL using secp384p1 and SHA384 to import into Azure-CDN Key Vault. I can get a PFX key added to the vault but we try to have Azure-CDN use it, it says "Failed to update custom domain properties" "The private key is not RSA or it is unreadable. Only RSA private key is supported for BYOC to secure a custom domain."

I checked with Sectigo and the pointed me to this page Generate PFX file or P12 with OpenSSL which simply confirmed that the commands I was already using was correct.

This is the command that I used to generate the Private Key and the CSR that was sent to Sectigo to generate a certificate:

openssl ecparam -name secp384r1 -genkey -noout -out ecc.mydomain.private.key && openssl req -new -out ecc.mydomain.csr -key ecc.mydomain.private.key -sha384 -subj "/C=XX/ST=XXXX/L=XXXXX/O=XXXXXXXX/CN=*.mydomain.com"

Once I download the IIS archive from Sectigo, I extract it and run this command to generate the PFX which includes the private key, certificate, intermediate certificate and passphrase:

openssl pkcs12 -export -out azure.pfx -inkey ecc.mydomain.private.key -in STAR_mydomain_com.crt -certfile My_CA_Bundle.ca-bundle

The whole reason for switching from an RSA SSL in the first place is that RSA SSL no longer passes PCI Compliance tests and the Azure-managed SSL certificates fail compliance tests. I even tried an RSA SSL certificate from GoDaddy and it had the same problem. For reference, here is the exact wording: "The remote SSL/TLS server is supporting Diffie-Hellman ephemeral (DHE) Key Exchange algorithms and thus could be prone to a denial of service (DoS) vulnerability."

Any idea why Azure CDN is not viewing this PFX file as valid?

Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,058 questions
Azure Content Delivery Network
Accepted answer
  1. KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee
    2023-07-12T05:38:49.1866667+00:00

    @Lon Hammonds

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I checked this internally and Product Group confirmed CDN doesn't support certificates with elliptic curve (EC) cryptography algorithms.

    While I could find a specific documentation for CDN, I was able to get it for Azure Front Door.

    And the Product Team confirmed the behavior is same for Azure CDN as well.

    Refer

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil

    Please don’t forget to close the thread by clicking Accept the answer wherever the information provided helps you, as this can be beneficial to other community members.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest