Buy and configure an SSL certificate for Azure App Service

This tutorial shows you how to secure your web app by creating (purchasing) an App Service certificate in Azure Key Vault and then bind it to an App Service app.

Tip

App Service Certificates can be used for any Azure or non-Azure Services and is not limited to App Services. To do so, you need to create a local PFX copy of an App Service certificate that you can use it anywhere you want. For more information, see Creating a local PFX copy of an App Service Certificate.

Prerequisites

To follow this how-to guide:

Prepare your web app

To bind a custom SSL certificate (a third-party certificate or App Service certificate) to your web app, your App Service plan must be in the Basic, Standard, Premium, or Isolated tier. In this step, you make sure that your web app is in the supported pricing tier.

Log in to Azure

Open the Azure portal.

From the left menu, click App Services, and then click the name of your web app.

Select web app

You have landed in the management page of your web app.

Check the pricing tier

In the left-hand navigation of your web app page, scroll to the Settings section and select Scale up (App Service plan).

Scale-up menu

Check to make sure that your web app is not in the F1 or D1 tier. Your web app's current tier is highlighted by a dark blue box.

Check pricing tier

Custom SSL is not supported in the F1 or D1 tier. If you need to scale up, follow the steps in the next section. Otherwise, close the Scale up page and skip the Scale up your App Service plan section.

Scale up your App Service plan

Select any of the non-free tiers (B1, B2, B3, or any tier in the Production category). For additional options, click See additional options.

Click Apply.

Choose pricing tier

When you see the following notification, the scale operation is complete.

Scale up notification

Start certificate order

Start an App Service certificate order in the App Service Certificate create page.

Certificate Creation

Use the following table to help you configure the certificate. When finished, click Create.

Setting Description
Name A friendly name for your App Service certificate.
Naked Domain Host Name This step is one of the most critical parts of the purchase process. Use the root domain name that you have mapped to your app. Do not prepend the domain name with www.
Subscription The datacenter where the web app is hosted.
Resource group The resource group that contains the certificate. You can use a new resource group or select the same resource group as your App Service app, for example.
Certificate SKU Determines the type of certificate to create, whether a standard certificate or a wildcard certificate.
Legal Terms Click to confirm that you agree with the legal terms.

Store in Azure Key Vault

Once the certificate purchase process is complete, there are few more steps you need to complete before you can start using this certificate.

Select the certificate in the App Service Certificates page, then click Certificate Configuration > Step 1: Store.

insert image of ready to store in KV

Key Vault is an Azure service that helps safeguard cryptographic keys and secrets used by cloud applications and services. It's the storage of choice for App Service certificates.

In the Key Vault Status page, click Key Vault Repository to create a new vault or choose an existing vault. If you choose to create a new vault, use the following table to help you configure the vault and click Create. see to create new Key Vault inside same subscription and resource group.

Setting Description
Name A unique name that consists for alphanumeric characters and dashes.
Resource group As a recommendation, select the same resource group as your App Service certificate.
Location Select the same location as your App Service app.
Pricing tier For information, see Azure Key Vault pricing details.
Access policies Defines the applications and the allowed access to the vault resources. You can configure it later, following the steps at Grant several applications access to a key vault.
Virtual Network Access Restrict vault access to certain Azure virtual networks. You can configure it later, following the steps at Configure Azure Key Vault Firewalls and Virtual Networks

Once you have selected the vault, close the Key Vault Repository page. The Store option should show a green check mark for success. Keep the page open for the next step.

Verify domain ownership

From the same Certificate Configuration page you used in the last step, click Step 2: Verify.

Select App Service Verification. Since you already mapped the domain to your web app (see Prerequisites), it's already verified. Just click Verify to finish this step. Click the Refresh button until the message Certificate is Domain Verified appears.

Note

Four types of domain verification methods are supported:

  • App Service - The most convenient option when the domain is already mapped to an App Service app in the same subscription. It takes advantage of the fact that the App Service app has already verified the domain ownership.
  • Domain - Verify an App Service domain that you purchased from Azure. Azure automatically adds the verification TXT record for you and completes the process.
  • Mail - Verify the domain by sending an email to the domain administrator. Instructions are provided when you select the option.
  • Manual - Verify the domain using either an HTML page (Standard certificate only) or a DNS TXT record. Instructions are provided when you select the option.

Bind certificate to app

In the Azure portal, from the left menu, select App Services > <your_ app>.

From the left navigation of your app, select SSL settings > Private Certificates (.pfx) > Import App Service Certificate.

insert image of Import Certificate

Select the certificate that you just purchased.

Now that the certificate is imported, you need to bind it to a mapped domain name in your app. Select Bindings > Add SSL Binding.

insert image of Import Certificate

Use the following table to help you configure the binding in the SSL Bindings dialog, then click Add Binding.

Setting Description
Hostname The domain name to add SSL binding for.
Private Certificate Thumbprint The certificate to bind.
SSL Type
  • SNI SSL - Multiple SNI-based SSL bindings may be added. This option allows multiple SSL certificates to secure multiple domains on the same IP address. Most modern browsers (including Internet Explorer, Chrome, Firefox, and Opera) support SNI (find more comprehensive browser support information at Server Name Indication).
  • IP-based SSL - Only one IP-based SSL binding may be added. This option allows only one SSL certificate to secure a dedicated public IP address. After configure the binding, follow the steps in Remap A record for IP SSL.

Verify HTTPS access

Visit your app using HTTPS://<domain_name> instead of HTTP://<domain_name> to verify that the certificate has been configured correctly.

Rekey and sync certificate

If you ever need to rekey your certificate, select the certificate in the App Service Certificates page, then select Rekey and Sync from the left navigation.

Click Rekey Button to initiate the process. This process can take 1-10 minutes to complete.

insert image of Rekey SSL

Rekeying your certificate rolls the certificate with a new certificate issued from the certificate authority.

Renew certificate

To turn on automatic renewal of your certificate at anytime, select the certificate in the App Service Certificates page, then click Auto Renew Settings in the left navigation.

Select On and click Save. Certificates can start automatically renewing 60 days before expiration if you have automatic renewal turned on.

To manually renew the certificate instead, click Manual Renew. You can request to manually renew your certificate 60 days before expiration.

Note

The renewed certificate is not automatically bound to your app, whether you renewed it manually or it renewed automatically. To bind it to your app, see Renew certificates.

Automate with scripts

Azure CLI

#!/bin/bash

fqdn=<replace-with-www.{yourdomain}>
pfxPath=<replace-with-path-to-your-.PFX-file>
pfxPassword=<replace-with-your=.PFX-password>
resourceGroup=myResourceGroup
webappname=mywebapp$RANDOM

# Create a resource group.
az group create --location westeurope --name $resourceGroup

# Create an App Service plan in Basic tier (minimum required by custom domains).
az appservice plan create --name $webappname --resource-group $resourceGroup --sku B1

# Create a web app.
az webapp create --name $webappname --resource-group $resourceGroup \
--plan $webappname

echo "Configure a CNAME record that maps $fqdn to $webappname.azurewebsites.net"
read -p "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Map your prepared custom domain name to the web app.
az webapp config hostname add --webapp-name $webappname --resource-group $resourceGroup \
--hostname $fqdn

# Upload the SSL certificate and get the thumbprint.
thumbprint=$(az webapp config ssl upload --certificate-file $pfxPath \
--certificate-password $pfxPassword --name $webappname --resource-group $resourceGroup \
--query thumbprint --output tsv)

# Binds the uploaded SSL certificate to the web app.
az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI \
--name $webappname --resource-group $resourceGroup

echo "You can now browse to https://$fqdn"

PowerShell

$fqdn="<Replace with your custom domain name>"
$pfxPath="<Replace with path to your .PFX file>"
$pfxPassword="<Replace with your .PFX password>"
$webappname="mywebapp$(Get-Random)"
$location="West Europe"

# Create a resource group.
New-AzureRmResourceGroup -Name $webappname -Location $location

# Create an App Service plan in Free tier.
New-AzureRmAppServicePlan -Name $webappname -Location $location `
-ResourceGroupName $webappname -Tier Free

# Create a web app.
New-AzureRmWebApp -Name $webappname -Location $location -AppServicePlan $webappname `
-ResourceGroupName $webappname

Write-Host "Configure a CNAME record that maps $fqdn to $webappname.azurewebsites.net"
Read-Host "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Upgrade App Service plan to Basic tier (minimum required by custom SSL certificates)
Set-AzureRmAppServicePlan -Name $webappname -ResourceGroupName $webappname `
-Tier Basic

# Add a custom domain name to the web app. 
Set-AzureRmWebApp -Name $webappname -ResourceGroupName $webappname `
-HostNames @($fqdn,"$webappname.azurewebsites.net")

# Upload and bind the SSL certificate to the web app.
New-AzureRmWebAppSSLBinding -WebAppName $webappname -ResourceGroupName $webappname -Name $fqdn `
-CertificateFilePath $pfxPath -CertificatePassword $pfxPassword -SslState SniEnabled

More resources