Buy and Configure an SSL Certificate for your Azure App Service

In this tutorial, you will secure your web app by purchasing an SSL certificate for your Azure App Service, securely storing it in Azure Key Vault, and associating it with a custom domain.

Step 1 - Log in to Azure

Log in to the Azure portal at http://portal.azure.com

Step 2 - Place an SSL Certificate order

You can place an SSL Certificate order by creating a new App Service Certificate In the Azure portal.

Certificate Creation

Enter a friendly Name for your SSL certificate and enter the Domain Name

Note

This is one of the most critical parts of the purchase process. Make sure to enter correct host name (custom domain) that you want to protect with this certificate. DO NOT append the Host name with WWW.

Select your Subscription, Resource Group, and Certificate SKU

Warning

App Service Certificates can only be used by other App Services within the same subscription.

Step 3 - Store the certificate in Azure Key Vault

Note

Key Vault is an Azure service that helps safeguard cryptographic keys and secrets used by cloud applications and services.

Once the SSL Certificate purchase is complete, you need to open App Service Certificates Resource blade.

insert image of ready to store in KV

You will notice that Certificate status is “Pending Issuance” as there are few more steps you need to complete before you can start using this certificate.

Click Certificate Configuration inside Certificate Properties blade and Click on Step 1: Store to store this certificate in Azure Key Vault.

From Key Vault Status Blade, click Key Vault Repository to choose an existing Key Vault to store this certificate OR Create New Key Vault to create new Key Vault inside same subscription and resource group.

Note

Azure Key Vault has minimal charges for storing this certificate. For more information, see Azure Key Vault Pricing Details.

Once you have selected the Key Vault Repository to store this certificate in, the Store option should show success.

insert image of store success in KV

Step 4 - Verify the Domain Ownership

Note

There are three types of domain verification supported by App service Certificates: Domain, Mail, Manual Verification. These are explained in more details in the Advanced section.

From the same Certificate Configuration blade you used in Step 3, click Step 2: Verify.

Domain Verification This is the most convenient process ONLY IF you have purchased your custom domain from Azure App Service. Click on Verify button to complete this step.

insert image of domain verification

After clicking Verify, use the Refresh button until the Verify option should show success.

insert image of verify success in KV

Step 5 - Assign Certificate to App Service App

Note

Before performing the steps in this section, you must have associated a custom domain name with your app. For more information, see Configuring a custom domain name for a web app.

In the Azure portal, click the App Service option on the left of the page.

Click the name of your app to which you want to assign this certificate.

In the Settings, click SSL certificates.

Click Import App Service Certificate and select the certificate that you just purchased.

insert image of Import Certificate

In the ssl bindings section Click on Add bindings, and use the dropdowns to select the domain name to secure with SSL, and the certificate to use. You may also select whether to use Server Name Indication (SNI) or IP based SSL.

insert image of SSL Bindings

Click Add Binding to save the changes and enable SSL.

Note

If you selected IP based SSL and your custom domain is configured using an A record, you must perform the following additional steps. These are explained in more details in the Advanced section.

At this point, you should be able to visit your app using HTTPS:// instead of HTTP:// to verify that the certificate has been configured correctly.

Step 6 - Management tasks

Azure CLI

#!/bin/bash

fqdn=<replace-with-www.{yourdomain}>
pfxPath=<replace-with-path-to-your-.PFX-file>
pfxPassword=<replace-with-your=.PFX-password>
webappname=mywebapp$RANDOM

# Create a resource group.
az group create --location westeurope --name myResourceGroup

# Create an App Service plan in Basic tier (minimum required by custom domains).
az appservice plan create --name $webappname --resource-group myResourceGroup --sku B1

# Create a web app.
az webapp create --name $webappname --resource-group myResourceGroup \
--plan $webappname

echo "Configure a CNAME record that maps $fqdn to $webappname.azurewebsites.net"
read -p "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Map your prepared custom domain name to the web app.
az webapp config hostname add --webapp-name $webappname --resource-group myResourceGroup \
--hostname $fqdn

# Upload the SSL certificate and get the thumbprint.
thumprint=$(az webapp config ssl upload --certificate-file $pfxPath \
--certificate-password $pfxPassword --name $webappname --resource-group myResourceGroup \
--query thumbprint --output tsv)

# Binds the uploaded SSL certificate to the web app.
az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI \
--name $webappname --resource-group myResourceGroup

echo "You can now browse to https://$fqdn"

PowerShell

$fqdn="<Replace with your custom domain name>"
$pfxPath="<Replace with path to your .PFX file>"
$pfxPassword="<Replace with your .PFX password>"
$webappname="mywebapp$(Get-Random)"
$location="West Europe"

# Create a resource group.
New-AzureRmResourceGroup -Name $webappname -Location $location

# Create an App Service plan in Free tier.
New-AzureRmAppServicePlan -Name $webappname -Location $location `
-ResourceGroupName $webappname -Tier Free

# Create a web app.
New-AzureRmWebApp -Name $webappname -Location $location -AppServicePlan $webappname `
-ResourceGroupName $webappname

Write-Host "Configure a CNAME record that maps $fqdn to $webappname.azurewebsites.net"
Read-Host "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Upgrade App Service plan to Basic tier (minimum required by custom SSL certificates)
Set-AzureRmAppServicePlan -Name $webappname -ResourceGroupName $webappname `
-Tier Basic

# Add a custom domain name to the web app. 
Set-AzureRmWebApp -Name $webappname -ResourceGroupName $webappname `
-HostNames @($fqdn,"$webappname.azurewebsites.net")

# Upload and bind the SSL certificate to the web app.
New-AzureRmWebAppSSLBinding -WebAppName $webappname -ResourceGroupName $webappname -Name $fqdn `
-CertificateFilePath $pfxPath -CertificatePassword $pfxPassword -SslState SniEnabled

Advanced

Verifying Domain Ownership

There are two more types of domain verification supported by App service Certificates: Mail, and Manual Verification.

Mail Verification

Verification email has already been sent to the Email Address(es) associated with this custom domain. To complete the Email verification step, open the email and click the verification link.

insert image of email verification

If you need to resend the verification email, click the Resend Email button.

Manual Verification

Important

HTML Web Page Verification (only works with Standard Certificate SKU)

  1. Create an HTML file named "starfield.html"

  2. Content of this file should be the exact name of the Domain Verification Token. (You can copy the token from the Domain Verification Status Blade)

  3. Upload this file at the root of the web server hosting your domain /.well-known/pki-validation/starfield.html

  4. Click Refresh to update the certificate status after verification is completed. It might take few minutes for verification to complete.

Tip

Verify in a terminal using curl -G http://<domain>/.well-known/pki-validation/starfield.html the response should contain the <verification-token>.

DNS TXT Record Verification

  1. Using your DNS manager, Create a TXT record on the @ subdomain with value equal to the Domain Verification Token.
  2. Click “Refresh” to update the Certificate status after verification is completed.
Tip

You need to create a TXT record on @.<domain> with value <verification-token>.

Assign Certificate to App Service App

If you selected IP based SSL and your custom domain is configured using an A record, you must perform the following additional steps:

After you have configured an IP based SSL binding, a dedicated IP address is assigned to your app. You can find this IP address on the Custom domain page under settings of your app, right above the Hostnames section. It is listed as External IP Address

insert image of IP SSL

Note that this IP address is different than the virtual IP address used previously to configure the A record for your domain. If you are configured to use SNI based SSL, or are not configured to use SSL, no address is listed for this entry.

Using the tools provided by your domain name registrar, modify the A record for your custom domain name to point to the IP address from the previous step.

Rekey and Sync the Certificate

If you ever need to Rekey your certificate, select Rekey and Sync option from Certificate Properties Blade.

Click Rekey Button to initiate the process. This process can take 1-10 minutes to complete.

insert image of ReKey SSL

Rekeying your certificate rolls the certificate with a new certificate issued from the certificate authority.

Next Steps