How to buy a certificate for an Azure Web App

If you have tried to enable SSL for your Azure Web App you know that the steps to do that are:

  1. Purchase certificate and export it into a PFX file
  2. Upload PFX file to a resource group that contains your web app
  3. Bind the web app’s hostnames to the certificate

Out of those steps the step #1 is the most non-obvious. Just by looking through the instructions in this article you can see that the process is complex and error prone.

Recently the Azure team has released an improved support for buying certificates for Azure Web Apps. Now it is possible to purchase a certificate without ever leaving the Azure Portal UI experience. In this blog post I’ll show how easy it is to buy a certificate and enable SSL for a Web App. As an example I will walk through the process of buying a certificate and enabling SSL for my web site http://ruslany.net/

Continue reading “How to buy a certificate for an Azure Web App”

How to setup IP SSL on Windows Azure Web Sites

The information in this post is out of date and should not be used as a guidance when configuring IP SSL for Azure Web Apps. Specifically if your custom domain is a CNAME to the default web app domain (e.g. contoso.azurewebsites.net) then it is not necessary to do any A record or CNAME changes as described in this article. The web app domains will be automatically remapped to the dedicated IP address when you enable IP SSL.

Azure Web Sites started to support custom domains SSL functionality recently. There are two SSL modes supported:

  1. SNI based SSL. This is an extension to SSL and Transport Layer Security (TLS) that allows multiple domains to share the same IP address, with separate security certificates for each domain. Most modern browsers (including Internet Explorer, Chrome, Firefox and Opera) support SNI, however older browsers may not support SNI.
  2. IP based SSL. This mode associates a certificate with a domain name by mapping the dedicated public IP address of the server to the domain name. This requires each domain name (contoso.com, fabricam.com, etc.) associated with your service to have a dedicated IP address. This is the traditional method of associating SSL certificates with a web server.

The SNI SSL setup is pretty simple and is documented in “How to enable SSL web site“.  The IP SSL setup is more tricky, and unfortunately an important step is missing from that article. Without performing that step the domain name configured for IP SSL will continue to work as SNI SSL. The Windows Azure team is looking into fixing the documentation and UI workflow to prevent this confusion going forward. Meanwhile this blog post explains how to make sure IP SSL is configured correctly.

Continue reading “How to setup IP SSL on Windows Azure Web Sites”