How to buy a certificate for an Azure Web App

If you have tried to enable SSL for your Azure Web App you know that the steps to do that are:

  1. Purchase certificate and export it into a PFX file
  2. Upload PFX file to a resource group that contains your web app
  3. Bind the web app’s hostnames to the certificate

Out of those steps the step #1 is the most non-obvious. Just by looking through the instructions in this article you can see that the process is complex and error prone.

Recently the Azure team has released an improved support for buying certificates for Azure Web Apps. Now it is possible to purchase a certificate without ever leaving the Azure Portal UI experience. In this blog post I’ll show how easy it is to buy a certificate and enable SSL for a Web App. As an example I will walk through the process of buying a certificate and enabling SSL for my web site http://ruslany.net/

To start the process of buying a cert in Azure Portal click on Browse > and select “App Service Certificates“.

Then click Add and specify the certificate properties, most importantly the Naked Domain Host Name (e.g. ruslany.net in my case):

The certificate purchase process starts and at some point you will be asked to configure a Key Vault service which will store the purchased cert.

 

If you do not have a Key Vault configured then add a new Key Vault Repository and once it is provisioned click on the “Store” button:

After the Key Vault has been linked to your certificate then next step is to verify the domain ownership. Azure Portal makes this verification very simple. If you already have a Web App that uses the same domain name as in the certificate then you can chose “App Service Verification” method and the corresponding App will be listed below.┬áJust click on “Verify” button and give it 5 to 10 minutes for verification process to complete.

Assuming the verification was successful the certificate will be issued and will be stored in the Key Vault repository from where it can be used by other App Services within your subscription:

To use the certificate in the Web App, select the Web App in the portal, then select “Custom domains and SSL” and then click on “Import Certificate”

This will ask you to pick the certificate from the Key Vault repository:

After that the certificate information should show up in the “Custom Domains and SSL” page where you can configure SSL bindings to use that certificate:

How to rekey a certificate

One nice feature that is included in the certificate management functionality is the ability to rekey a certificate. If for any reason you believe your certificate got compromised or if you need to rotate the certificate for security compliance reasons you can easily rekey it. This will result in a new certificate with a different thumbprint issued for your domain.

In addition, once the rekey’ed certificate has been issued you can click on “Sync” button and all the web apps that use the old certificate will be updated to use the rekey’ed certificate. Note that you can rekey these certificates as many times as you need as long as they are not expired.

13,494 views

ruslany on April 5th 2016 in Other, WAWS

PoorFairAverageGoodExcellent (7 votes, average: 4.71 out of 5)

One Response to “How to buy a certificate for an Azure Web App”

  1. Gravatar Imagesteve responded on 29 Jul 2016 at 5:49 am #

    Great Article, thanks!

    I am getting an error when I try to submit the purchase request for the W1 wildcard cert:

    “`
    This subscription does not have the billing support to purchase the azure resource. (Code: BadRequest)
    “`

    I have Owner access so I’m not sure what to try next.

    Any thoughts?

Trackback URI | Comments RSS

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

XML Markup: If You want to add XML code to the comment please XML encode it first, otherwise the code will not show up.

Recently Published Articles