Bind a custom SSL certificate to a function app

This sample script creates a function app in App Service with its related resources, then binds the SSL certificate of a custom domain name to it. For this sample, you need:

  • Access to your domain registrar's DNS configuration page.
  • A valid .PFX file and its password for the SSL certificate you want to upload and bind.
  • Have configured an A record in your custom domain that points to your web app's default domain name. For more information, see the Map custom domain instructions for Azure App Service.

To bind an SSL certificate, your function app must be created in a Premium plan or an App Service plan and not in a Consumption plan.

If you don't have an Azure subscription, create a free account before you begin.

Use Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. Cloud Shell lets you use either bash or PowerShell to work with Azure services. You can use the Cloud Shell pre-installed commands to run the code in this article without having to install anything on your local environment.

To launch Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code block. Selecting Try It doesn't automatically copy the code to Cloud Shell. Example of Try It for Azure Cloud Shell
Go to https://shell.azure.com or select the Launch Cloud Shell button to open Cloud Shell in your browser. Launch Cloud Shell in a new window
Select the Cloud Shell button on the top-right menu bar in the Azure portal. Cloud Shell button in the Azure portal

To run the code in this article in Azure Cloud Shell:

  1. Launch Cloud Shell.

  2. Select the Copy button on a code block to copy the code.

  3. Paste the code into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS.

  4. Press Enter to run the code.

If you choose to install and use the CLI locally, you must be running the Azure CLI version 2.0 or later. Run az --version to find the version. If you need to install or upgrade, see Install the Azure CLI.

Sample script

#!/bin/bash

# Function app and storage account names must be unique.
storageName=mystorageaccount$RANDOM
functionAppName=myconsumptionfunc$RANDOM

# TODO:
# Before starting, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure an A record 
# and point it your web app's default domain name. 
fqdn=<Replace with www.{yourcustomdomain}>
pfxPath=<Replace with path to your .PFX file>
pfxPassword=<Replace with your .PFX password>

# Create a resource resourceGroupName
az group create \
  --name myResourceGroup \
  --location westeurope

# Create an azure storage account
az storage account create \
  --name $storageName \
  --location westeurope \
  --resource-group myResourceGroup \
  --sku Standard_LRS

# Create an App Service plan in Basic tier (minimum required by custom domains).
az appservice plan create \
  --name FunctionAppWithAppServicePlan \
  --location westeurope \
  --resource-group myResourceGroup \
  --sku B1

# Create a Function App
az functionapp create \
  --name $functionAppName \
  --storage-account $storageName \
  --plan FunctionAppWithAppServicePlan \
  --resource-group myResourceGroup

# Map your prepared custom domain name to the function app.
az functionapp config hostname add \
  --name $functionAppName \
  --resource-group myResourceGroup \
  --hostname $fqdn

# Upload the SSL certificate and get the thumbprint.
thumbprint=$(az functionapp config ssl upload --certificate-file $pfxPath \
--certificate-password $pfxPassword --name $functionAppName --resource-group myResourceGroup \
--query thumbprint --output tsv)

# Binds the uploaded SSL certificate to the function app.
az functionapp config ssl bind \
  --certificate-thumbprint $thumbprint \
  --ssl-type SNI \
  --name $functionAppName \
  --resource-group myResourceGroup

echo "You can now browse to https://$fqdn"

Clean up deployment

After the sample script has been run, the following command can be used to remove the resource group and all resources associated with it.

az group delete --name myResourceGroup

Script explanation

This script uses the following commands. Each command in the table links to command specific documentation.

Command Notes
az group create Creates a resource group in which all resources are stored.
az storage account create Creates a storage account required by the function app.
az appservice plan create Creates an App Service plan required to bind SSL certificates.
az functionapp create Creates a function app in the App Service plan.
az functionapp config hostname add Maps a custom domain to a function app.
az functionapp config ssl upload Uploads an SSL certificate to a function app.
az functionapp config ssl bind Binds an uploaded SSL certificate to a function app.

Next steps

For more information on the Azure CLI, see Azure CLI documentation.

Additional App Service CLI script samples can be found in the Azure App Service documentation.