If you have tried to enable SSL for your Azure Web App you know that the steps to do that are:
- Purchase certificate and export it into a PFX file
- Upload PFX file to a resource group that contains your web app
- Bind the web app’s hostnames to the certificate
Out of those steps the step #1 is the most non-obvious. Just by looking through the instructions in this article you can see that the process is complex and error prone.
Recently the Azure team has released an improved support for buying certificates for Azure Web Apps. Now it is possible to purchase a certificate without ever leaving the Azure Portal UI experience. In this blog post I’ll show how easy it is to buy a certificate and enable SSL for a Web App. As an example I will walk through the process of buying a certificate and enabling SSL for my web site http://ruslany.net/
To start the process of buying a cert in Azure Portal click on Browse > and select “App Service Certificates“.
Then click Add and specify the certificate properties, most importantly the Naked Domain Host Name (e.g. ruslany.net in my case):
The certificate purchase process starts and at some point you will be asked to configure a Key Vault service which will store the purchased cert.
If you do not have a Key Vault configured then add a new Key Vault Repository and once it is provisioned click on the “Store” button:
After the Key Vault has been linked to your certificate then next step is to verify the domain ownership. Azure Portal makes this verification very simple. If you already have a Web App that uses the same domain name as in the certificate then you can chose “App Service Verification” method and the corresponding App will be listed below. Just click on “Verify” button and give it 5 to 10 minutes for verification process to complete.
Assuming the verification was successful the certificate will be issued and will be stored in the Key Vault repository from where it can be used by other App Services within your subscription:
To use the certificate in the Web App, select the Web App in the portal, then select “Custom domains and SSL” and then click on “Import Certificate”
This will ask you to pick the certificate from the Key Vault repository:
After that the certificate information should show up in the “Custom Domains and SSL” page where you can configure SSL bindings to use that certificate:
How to rekey a certificate
One nice feature that is included in the certificate management functionality is the ability to rekey a certificate. If for any reason you believe your certificate got compromised or if you need to rotate the certificate for security compliance reasons you can easily rekey it. This will result in a new certificate with a different thumbprint issued for your domain.
In addition, once the rekey’ed certificate has been issued you can click on “Sync” button and all the web apps that use the old certificate will be updated to use the rekey’ed certificate. Note that you can rekey these certificates as many times as you need as long as they are not expired.
5 thoughts on “How to buy a certificate for an Azure Web App”
Great Article, thanks!
I am getting an error when I try to submit the purchase request for the W1 wildcard cert:
This subscription does not have the billing support to purchase the azure resource. (Code: BadRequest)
I have Owner access so I’m not sure what to try next.
I read this article, linked from an official Microsoft blog page https://azure.microsoft.com/en-us/blog/internals-of-app-service-certificate/ whilst looking into whether there was anything like AWS Certificate Manager in the Azure world.
How ironic then, when trying to switch to HTTPS and view this article on https://ruslany.net/2016/04/how-to-buy-a-certificate-for-an-azure-web-app/ it results in a certificate warning and error due to the cert being for *.azurewebsites.net
Thanks for pointing that out. It is fixed now. 🙂
It’s a shame that the SSL is created as a Secret in the KeyVault making it unusable with App Gateway and having to do all sorts of jiggery-pokery to make things work.
Also the Web APP interface and the Gateway have an option for “Import from KeyVault” which again is unusable and misleading if you have purchased an SSL from “ASC” as these dialogs expect a Certificate and not a Secret.
Thanks for sharing the awesome info. Do you have ARM templates for adding custom domain to azure app service and bind to it.