Bind a custom SSL certificate to a web app

This sample script creates a web app in App Service with its related resources, then binds the SSL certificate of a custom domain name to it. For this sample, you need:

  • Access to your domain registrar's DNS configuration page.
  • A valid .PFX file and its password for the SSL certificate you want to upload and bind.

If you don't have an Azure subscription, create a free account before you begin.

Launch Azure Cloud Shell

The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account. Just click the Copy button to copy the code, paste it into the Cloud Shell, and then press enter to run it. There are a few ways to launch the Cloud Shell:

Click Try It in the upper right corner of a code block. Cloud Shell in this article
Open Cloud Shell in your browser.
Click the Cloud Shell button on the menu in the upper right of the Azure portal. Cloud Shell in the portal

If you choose to install and use the CLI locally, you need Azure CLI version 2.0 or later. To find the version, run az --version. If you need to install or upgrade, see Install Azure CLI 2.0.

Sample script



# Create a resource group.
az group create --location westeurope --name $resourceGroup

# Create an App Service plan in Basic tier (minimum required by custom domains).
az appservice plan create --name $webappname --resource-group $resourceGroup --sku B1

# Create a web app.
az webapp create --name $webappname --resource-group $resourceGroup \
--plan $webappname

echo "Configure a CNAME record that maps $fqdn to $"
read -p "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Map your prepared custom domain name to the web app.
az webapp config hostname add --webapp-name $webappname --resource-group $resourceGroup \
--hostname $fqdn

# Upload the SSL certificate and get the thumbprint.
thumbprint=$(az webapp config ssl upload --certificate-file $pfxPath \
--certificate-password $pfxPassword --name $webappname --resource-group $resourceGroup \
--query thumbprint --output tsv)

# Binds the uploaded SSL certificate to the web app.
az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI \
--name $webappname --resource-group $resourceGroup

echo "You can now browse to https://$fqdn"

Clean up deployment

After the sample script has been run, the following command can be used to remove the resource group and all resources associated with it.

az group delete --name myResourceGroup

Script explanation

This script uses the following commands. Each command in the table links to command specific documentation.

Command Notes
az group create Creates a resource group in which all resources are stored.
az appservice plan create Creates an App Service plan.
az webapp create Creates an Azure web app.
az webapp config hostname add Maps a custom domain to a web app.
az webapp config ssl upload Uploads an SSL certificate to a web app.
az webapp config ssl bind Binds an uploaded SSL certificate to a web app.

Next steps

For more information on the Azure CLI, see Azure CLI documentation.

Additional App Service CLI script samples can be found in the Azure App Service documentation.