Buy and Configure an SSL Certificate for your Azure App Service
By default, Azure App Service already enables HTTPS for your web app with a wildcard certificate for the .azurewebsites.net domain. If you don't plan to configure a custom domain, then you can benefit from the default HTTPS certificate. However, like all *wildcard domains, it is not as secure as using a custom domain with your own certificate.
Azure App Service now provides you a really simplified way to purchase and manage an SSL certificate right from Azure Portal without ever leaving the portal.
This article explains how to buy and configure an SSL Certificate for your **Azure App Service* in 3 simple steps.
SSL Certificates for Custom domain names cannot be used with Free and Shared web app. You must configure your web app for Basic, Standard or Premium mode, which may change how much you are billed for your subscription. See Web Apps Pricing Details for more information.
Please do not attempt to purchase an SSL Certificate using a subscription that does not have an Active Credit Card associated with it. This could result in your subscription being disabled.
To enable HTTPS for a custom domain, such as contoso.com, you must first configure a custom domain name in Azure App Service.
Before requesting an SSL certificate, you must first determine which domain names will be secured by the certificate. This will determine what type of certificate you must obtain. If you just need to secure a single domain name such as contoso.com or www.contoso.com a Standard (basic) certificate is sufficient. If you need to secure multiple domain names, such as contoso.com, www.contoso.com, and mail.contoso.com, then you can get a wildcard certificate
In this Step, you will learn how to place an Order for an SSL Certificate of your choice.
In the Azure Portal, click Browse and Type “App Service Certificates” in search bar and select “App Service Certificates” from the result and Click Add.
- Enter friendly name for your SSL Certificate.
Enter Host Name
This is one of the most critical parts of the purchase process. Make sure to enter correct host name (custom domain) that you want to protect with this certificate. DO NOT append the Host name with WWW. For example, if your custom domain name is www.contoso.com then just enter contoso.com in the Host Name field, the certificate in question will protect both www and root domains.
Select your subscription.
If you have multiple subscriptions, then make sure to create an SSL Certificate in the same subscription that you have used for your custom domain or Web App in question.
Select or create a resource group.
Resource groups enable you to manage related Azure resources as a unit and are useful when establishing role-based access control (RBAC) rules for your apps. For more information, see Managing your Azure resources.
Select the Certificate SKU
Finally, select the certificate SKU that fits your need and click Create. Today, Azure App Service allows you to purchase two different SKUs
• S1 – Standard Certificate with 1-year validity and auto renewal • W1 – Wild card Certificate with 1-year validity and auto renewal
See Web Apps Pricing Details for more information.
SSL Certificate creation will take anywhere from 1 – 10 minutes. This process performs multiple steps in background that are otherwise very cumbersome to perform manually.
In this Step, you will learn how to place an Store an SSL Certificate that you purchased to Azure Key Vault of your choice.
Once the SSL Certificate purchase is complete You will need to manually open App Service Certificates Resource blade by browsing to it again (See Step 1 above)
You will notice that Certificate status is “Pending Issuance” as there are few more steps you need to complete before you can start using this certificates.
- Click on “Certificate Configuration” inside Certificate Properties blade and Click on “Step 1: Store” to store this certificate in Azure Key Vault.
From “Key Vault Status” Blade click on “Key Vault Repository” to choose an existing Key Vault to store this certificate OR “Create New Key Vault” to create new Key Vault inside same subscription and resource group.
Azure Key Vault has very minimal charges for storing this certificate. See Azure Key Vault Pricing Details for more information.
Once you have selected the Key Vault Repository to store this certificate in, go ahead and store it by clicking on “Store” button at the top of “Key Vault Status” blade.
This should complete step to storing the Certificate you purchased with Azure Key Vault of your choice. Upon refreshing the Blade, you should see Green Check mark against this step as well.
In this Step, you will learn how to perform Domain Ownership Verification for an SSL Certificate that you just placed an order for.
Click on “Step 2: Verify” Step from the “Certificate Configuration” Blade. There are 3 types of domain Verification supported by App Service Certificates.
- This is the most convenient process ONLY IF you have purchased your custom domain from Azure App Service.
- Click on “Verify” button to complete this step.
- Click on “Refresh” to update the Certificate status after verification is completed. It might take few minutes for verification to complete.
- Verification email has already been sent to the Email Address(es) associated with this custom domain.
- Open the email and Click on the verification link to complete the Email Verification step.
- If you need to resend the verification email, Click on the "Resend Email" button.
HTML Web Page Verification (only works with Standard Certificate SKU)
- Create an HTML file named "starfield.html"
- Content of this file should be the exact same name of Domain Verification Token. (You can copy the token from he Domain Verification Status Blade)
- Upload this file at the root of the web server hosting your domain /.well-known/pki-validation/starfield.html
Click on “Refresh” to update the Certificate status after verification is completed. It might take few minutes for verification to complete.
For example, if you are buying a standard certificate for contosocertdemo.com with Domain Verification Token tgjgthq8d11ttaeah97s3fr2sh then a web request made to http://contosocertdemo.com/.well-known/pki-validation/starfield.html should return tgjgthq8d11ttaeah97s3fr2sh.
DNS TXT Record Verification
- Using your DNS manager, Create a TXT record on the ‘@’ subdomain with value equal to the Domain Verification Token.
For example, in order to perform validation for a wildcard certificate with hostname *.contosocertdemo.com or *.subdomain.contosocertdemo.com and Domain Verification Token tgjgthq8d11ttaeah97s3fr2sh you need to create a TXT record on contosocertdemo.com with value tgjgthq8d11ttaeah97s3fr2sh
In this Step, you will learn how to assign this newly purchased certificate to your App Service Apps.
Before performing the steps in this section, you must have associated a custom domain name with your app. For more information, see Configuring a custom domain name for a web app.
- In your browser, open the Azure Portal.
- Click the App Service option on the left side of the page.
- Click the name of your app to which you want to assign this certificate.
- In the Settings, Click SSL certificates
Click Import App Service Certificate and select the Certificate that you just purchased
- In the ssl bindings section Click on Add bindings
In the Add SSL Binding blade use the dropdowns to select the domain name to secure with SSL, and the certificate to use. You may also select whether to use Server Name Indication (SNI) or IP based SSL.
• IP based SSL associates a certificate with a domain name by mapping the dedicated public IP address of the server to the domain name. This requires each domain name (contoso.com, fabricam.com, etc.) associated with your service to have a dedicated IP address. This is the traditional method of associating SSL certificates with a web server. • SNI based SSL is an extension to SSL and **[Transport Layer Security](http://en.wikipedia.org/wiki/Transport_Layer_Security)** (TLS) that allows multiple domains to share the same IP address, with separate security certificates for each domain. Most modern browsers (including Internet Explorer, Chrome, Firefox and Opera) support SNI, however older browsers may not support SNI. For more information on SNI, see the **[Server Name Indication](http://en.wikipedia.org/wiki/Server_Name_Indication)** article on Wikipedia.
- Click Add Binding to save the changes and enable SSL.
If you selected IP based SSL and your custom domain is configured using an A record, you must perform the following additional steps:
After you have configured an IP based SSL binding, a dedicated IP address is assigned to your app. You can find this IP address on the Custom domain page under settings of your app, right above the Hostnames section. It will be listed as External IP Address
Note that this IP address will be different than the virtual IP address used previously to configure the A record for your domain. If you are configured to use SNI based SSL, or are not configured to use SSL, no address will be listed for this entry.
Using the tools provided by your domain name registrar, modify the A record for your custom domain name to point to the IP address from the previous step. At this point, you should be able to visit your app using HTTPS:// instead of HTTP:// to verify that the certificate has been configured correctly.
You can create a local PFX copy of an App Service certificate so that you can use it with other Azure Services. For more information, read our blog post
To toggle Auto Renew settings for your certificate or to manually renew your certificate simply select "Auto Renew Settings" option from "Certificate Properties" Blade.
Turn "Auto Renew" ON if you would like to automatically renew your certificate before it expires. This is defsault option. If turned on, we would attempt to renew your certificate starting 90th day before expiration. If you have created SSL bindings on your App Service Apps using Azure portal experience then those bindings would be updated as well with the new certificate once it’s ready (Just like ReKey and Sync scenario). On the other hand, if you would like to take care of renewals manually then you should turn this setting off. You can manually renew an App Service Certificate only if its expiration is within 90 days.
- For security reasons, if you ever need to Rekey your certificate then simply select "Rekey and Sync" option from "Certificate Properties" Blade.
Click on "Rekey" Button to initiate the process. This process can take 1-10 minutes to complete.
- Rekeying your certificate will roll the certificate with a new certificate issued from the certificate authority.
- You will not be charged for the Rekeying for the lifetime of the certificate.
- Rekeying your certificate will go through Pending Issuance state.
- Once the certificate is ready make sure you sync your resources using this certificate to prevent disruption to the service.
- Sync option is not available for Certificates that are not yet assigned to the Web App.
- Enable HTTPS for an app in Azure App Service
- Buy and Configure a custom domain name in Azure App Service
- Microsoft Azure Trust Center
- Configuration options unlocked in Azure Web Sites
- Azure Management Portal
If you want to get started with Azure App Service before signing up for an Azure account, go to Try App Service, where you can immediately create a short-lived starter web app in App Service. No credit cards required; no commitments.