Buy and Configure an SSL Certificate for your Azure App Service

This tutorial shows you how to secure your web app by purchasing an SSL certificate for your Azure App Service, securely storing it in Azure Key Vault, and associating it with a custom domain.

Step 1 - Log in to Azure

Log in to the Azure portal at http://portal.azure.com

Step 2 - Place an SSL Certificate order

You can place an SSL Certificate order by creating a new App Service Certificate In the Azure portal.

Certificate Creation

Enter a friendly Name for your SSL certificate and enter the Domain Name

Note

This step is one of the most critical parts of the purchase process. Make sure to enter correct host name (custom domain) that you want to protect with this certificate. DO NOT append the Host name with WWW.

Select your Subscription, Resource Group, and Certificate SKU

Warning

App Service Certificates can only be used by other App Services within the same subscription.

Step 3 - Store the certificate in Azure Key Vault

Note

Key Vault is an Azure service that helps safeguard cryptographic keys and secrets used by cloud applications and services.

Once the SSL Certificate purchase is complete, you need to open the App Service Certificates page.

insert image of ready to store in KV

The certificate status is “Pending Issuance” as there are few more steps you need to complete before you can start using this certificate.

Click Certificate Configuration inside the Certificate Properties page and Click on Step 1: Store to store this certificate in Azure Key Vault.

From the Key Vault Status page, click Key Vault Repository to choose an existing Key Vault to store this certificate OR Create New Key Vault to create new Key Vault inside same subscription and resource group.

Note

Azure Key Vault has minimal charges for storing this certificate. For more information, see Azure Key Vault Pricing Details.

Once you have selected the Key Vault Repository to store this certificate in, the Store option should show success.

insert image of store success in KV

Step 4 - Verify the Domain Ownership

From the same Certificate Configuration page you used in Step 3, click Step 2: Verify.

Choose the preferred domain verification method.

There are four types of domain verification supported by App Service Certificates: App Service, Domain, Mail, and Manual Verification. These verification types are explained in more details in the Advanced section.

Note

App Service Verification is the most convenient option when the domain you want to verify is already mapped to an App Service app in the same subscription. It takes advantage of the fact that the App Service app has already verified the domain ownership.

Click on Verify button to complete this step.

insert image of domain verification

After clicking Verify, use the Refresh button until the Verify option should show success.

insert image of verify success in KV

Step 5 - Assign Certificate to App Service App

Note

Before performing the steps in this section, you must have associated a custom domain name with your app. For more information, see Configuring a custom domain name for a web app.

In the Azure portal, click the App Service option on the left of the page.

Click the name of your app to which you want to assign this certificate.

In the Settings, click SSL certificates.

Click Import App Service Certificate and select the certificate that you just purchased.

insert image of Import Certificate

In the ssl bindings section Click on Add bindings, and use the dropdowns to select the domain name to secure with SSL, and the certificate to use. You may also select whether to use Server Name Indication (SNI) or IP based SSL.

insert image of SSL Bindings

Click Add Binding to save the changes and enable SSL.

Note

If you selected IP based SSL and your custom domain is configured using an A record, you must perform the following additional steps. These are explained in more details in the Advanced section.

At this point, you should be able to visit your app using HTTPS:// instead of HTTP:// to verify that the certificate has been configured correctly.

Step 6 - Management tasks

Azure CLI

#!/bin/bash

fqdn=<replace-with-www.{yourdomain}>
pfxPath=<replace-with-path-to-your-.PFX-file>
pfxPassword=<replace-with-your=.PFX-password>
resourceGroup=myResourceGroup
webappname=mywebapp$RANDOM

# Create a resource group.
az group create --location westeurope --name $resourceGroup

# Create an App Service plan in Basic tier (minimum required by custom domains).
az appservice plan create --name $webappname --resource-group $resourceGroup --sku B1

# Create a web app.
az webapp create --name $webappname --resource-group $resourceGroup \
--plan $webappname

echo "Configure a CNAME record that maps $fqdn to $webappname.azurewebsites.net"
read -p "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Map your prepared custom domain name to the web app.
az webapp config hostname add --webapp-name $webappname --resource-group $resourceGroup \
--hostname $fqdn

# Upload the SSL certificate and get the thumbprint.
thumbprint=$(az webapp config ssl upload --certificate-file $pfxPath \
--certificate-password $pfxPassword --name $webappname --resource-group $resourceGroup \
--query thumbprint --output tsv)

# Binds the uploaded SSL certificate to the web app.
az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI \
--name $webappname --resource-group $resourceGroup

echo "You can now browse to https://$fqdn"

PowerShell

$fqdn="<Replace with your custom domain name>"
$pfxPath="<Replace with path to your .PFX file>"
$pfxPassword="<Replace with your .PFX password>"
$webappname="mywebapp$(Get-Random)"
$location="West Europe"

# Create a resource group.
New-AzureRmResourceGroup -Name $webappname -Location $location

# Create an App Service plan in Free tier.
New-AzureRmAppServicePlan -Name $webappname -Location $location `
-ResourceGroupName $webappname -Tier Free

# Create a web app.
New-AzureRmWebApp -Name $webappname -Location $location -AppServicePlan $webappname `
-ResourceGroupName $webappname

Write-Host "Configure a CNAME record that maps $fqdn to $webappname.azurewebsites.net"
Read-Host "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Upgrade App Service plan to Basic tier (minimum required by custom SSL certificates)
Set-AzureRmAppServicePlan -Name $webappname -ResourceGroupName $webappname `
-Tier Basic

# Add a custom domain name to the web app. 
Set-AzureRmWebApp -Name $webappname -ResourceGroupName $webappname `
-HostNames @($fqdn,"$webappname.azurewebsites.net")

# Upload and bind the SSL certificate to the web app.
New-AzureRmWebAppSSLBinding -WebAppName $webappname -ResourceGroupName $webappname -Name $fqdn `
-CertificateFilePath $pfxPath -CertificatePassword $pfxPassword -SslState SniEnabled

Advanced

Verifying Domain Ownership

There are two more types of domain verification supported by App service Certificates: Mail, and Manual Verification.

Mail Verification

Verification email has already been sent to the Email Address(es) associated with this custom domain. To complete the Email verification step, open the email and click the verification link.

insert image of email verification

If you need to resend the verification email, click the Resend Email button.

Domain Verification

Choose this option only for an App Service domain that you purchased from Azure.. Azure automatically adds the verification TXT record for you and completes the process.

Manual Verification

Important

HTML Web Page Verification (only works with Standard Certificate SKU)

  1. Create an HTML file named "starfield.html"

  2. Content of this file should be the exact name of the Domain Verification Token. (You can copy the token from the Domain Verification Status page)

  3. Upload this file at the root of the web server hosting your domain /.well-known/pki-validation/starfield.html

  4. Click Refresh to update the certificate status after verification is completed. It might take few minutes for verification to complete.

Tip

Verify in a terminal using curl -G http://<domain>/.well-known/pki-validation/starfield.html the response should contain the <verification-token>.

DNS TXT Record Verification

  1. Using your DNS manager, Create a TXT record on the @ subdomain with value equal to the Domain Verification Token.
  2. Click “Refresh” to update the Certificate status after verification is completed.

Tip

You need to create a TXT record on @.<domain> with value <verification-token>.

Assign Certificate to App Service App

If you selected IP based SSL and your custom domain is configured using an A record, you must perform the following additional steps:

After you have configured an IP based SSL binding, a dedicated IP address is assigned to your app. You can find this IP address on the Custom domain page under settings of your app, right above the Hostnames section. It is listed as External IP Address

insert image of IP SSL

This IP address is different than the virtual IP address used previously to configure the A record for your domain. If you are configured to use SNI based SSL, or are not configured to use SSL, no address is listed for this entry.

Using the tools provided by your domain name registrar, modify the A record for your custom domain name to point to the IP address from the previous step.

Rekey and Sync the Certificate

If you ever need to rekey your certificate, select the Rekey and Sync option from the Certificate Properties page.

Click Rekey Button to initiate the process. This process can take 1-10 minutes to complete.

insert image of Rekey SSL

Rekeying your certificate rolls the certificate with a new certificate issued from the certificate authority.

Why is my SSL certificate not auto-renewed?

If your SSL certificate is configured for auto-renewal, but it is not automatically renewed, you may have a pending domain verification. Note the following:

  • GoDaddy, which generates App Service certificates, requires domain verification once every three years. The domain administrator receives an email once every three years to verify the domain. Failure to check the email or verify your domain prevents the App Service certificate from being automatically renewed.
  • All App Service certificates issued prior to March 31 2017 require reverification of domain at the time of next renewal (even if the auto-renewal is enabled for the certificate). This is a result of change in GoDaddy policy. Check your email and complete this one-time domain verification to continue the auto-renewal of the App Service certificate.

More resources