您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:将现有的自定义 SSL 证书绑定到 Azure Web 应用Tutorial: Bind an existing custom SSL certificate to Azure Web Apps

Azure Web 应用提供高度可缩放的自修补 Web 托管服务。Azure Web Apps provides a highly scalable, self-patching web hosting service. 本教程介绍如何将从受信任证书颁发机构那里购买的自定义 SSL 证书绑定到 Azure Web 应用This tutorial shows you how to bind a custom SSL certificate that you purchased from a trusted certificate authority to Azure Web Apps. 完成本教程后,便可以访问自定义 DNS 域的 HTTPS 终结点上的 Web 应用。When you're finished, you'll be able to access your web app at the HTTPS endpoint of your custom DNS domain.

包含自定义 SSL 证书的 Web 应用

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 升级应用的定价层Upgrade your app's pricing tier
  • 将自定义证书绑定到应用服务Bind your custom certificate to App Service
  • 续订证书Renew certificates
  • 实施 HTTPSEnforce HTTPS
  • 强制实施 TLS 1.1/1.2Enforce TLS 1.1/1.2
  • 使用脚本自动完成 TLS 管理Automate TLS management with scripts

备注

如果需要获取自定义 SSL 证书,可以直接在 Azure 门户中获取,然后将其绑定到 Web 应用。If you need to get a custom SSL certificate, you can get one in the Azure portal directly and bind it to your web app. 请遵循应用服务证书教程Follow the App Service Certificates tutorial.

先决条件Prerequisites

完成本教程:To complete this tutorial:

SSL 证书的要求Requirements for your SSL certificate

若要在应用服务中使用证书,该证书必须满足以下所有要求:To use a certificate in App Service, the certificate must meet all the following requirements:

  • 已由受信任的证书颁发机构签名Signed by a trusted certificate authority
  • 已导出为受密码保护的 PFX 文件Exported as a password-protected PFX file
  • 包含长度至少为 2048 位的私钥Contains private key at least 2048 bits long
  • 包含证书链中的所有中间证书Contains all intermediate certificates in the certificate chain

备注

椭圆曲线加密 (ECC) 证书可用于应用服务,但本文不予讨论。Elliptic Curve Cryptography (ECC) certificates can work with App Service but are not covered by this article. 请咨询证书颁发机构,了解有关创建 ECC 证书的确切步骤。Work with your certificate authority on the exact steps to create ECC certificates.

Prepare your web app

To bind a custom SSL certificate (a third-party certificate or App Service certificate) to your web app, your App Service plan must be in the Basic, Standard, Premium, or Isolated tier. In this step, you make sure that your web app is in the supported pricing tier.

Log in to Azure

Open the Azure portal.

From the left menu, click App Services, and then click the name of your web app.

Select web app

You have landed in the management page of your web app.

Check the pricing tier

In the left-hand navigation of your web app page, scroll to the Settings section and select Scale up (App Service plan).

Scale-up menu

Check to make sure that your web app is not in the F1 or D1 tier. Your web app's current tier is highlighted by a dark blue box.

Check pricing tier

Custom SSL is not supported in the F1 or D1 tier. If you need to scale up, follow the steps in the next section. Otherwise, close the Scale up page and skip to Upload and bind your SSL certificate.

Scale up your App Service plan

Select any of the non-free tiers (B1, B2, B3, or any tier in the Production category). For additional options, click See additional options.

Click Apply.

Choose pricing tier

When you see the following notification, the scale operation is complete.

Scale up notification

绑定 SSL 证书Bind your SSL certificate

现已准备好将 SSL 证书上传到 Web 应用。You are ready to upload your SSL certificate to your web app.

合并中间证书Merge intermediate certificates

如果证书颁发机构在证书链中提供了多个证书,则需按顺序合并证书。If your certificate authority gives you multiple certificates in the certificate chain, you need to merge the certificates in order.

若要执行此操作,请在文本编辑器中打开收到的所有证书。To do this, open each certificate you received in a text editor.

创建名为 mergedcertificate.crt 的合并证书文件。Create a file for the merged certificate, called mergedcertificate.crt. 在文本编辑器中,将每个证书的内容复制到此文件。In a text editor, copy the content of each certificate into this file. 证书的顺序应遵循证书链中的顺序,以你的证书开头,以根证书结尾,The order of your certificates should follow the order in the certificate chain, beginning with your certificate and ending with the root certificate. 如以下示例所示:It looks like the following example:

-----BEGIN CERTIFICATE-----
<your entire Base64 encoded SSL certificate>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded intermediate certificate 1>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded intermediate certificate 2>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded root certificate>
-----END CERTIFICATE-----

将证书导出为 PFXExport certificate to PFX

导出合并的 SSL 证书(其中包含生成证书请求时所用的私钥)。Export your merged SSL certificate with the private key that your certificate request was generated with.

如果使用 OpenSSL 生成证书请求,则已创建私钥文件。If you generated your certificate request using OpenSSL, then you have created a private key file. 若要将证书导出为 PFX,请运行以下命令。To export your certificate to PFX, run the following command. 将占位符 <private-key-file><merged-certificate-file> 分别替换为私钥和合并证书文件的路径。Replace the placeholders <private-key-file> and <merged-certificate-file> with the paths to your private key and your merged certificate file.

openssl pkcs12 -export -out myserver.pfx -inkey <private-key-file> -in <merged-certificate-file>  

出现提示时,定义导出密码。When prompted, define an export password. 稍后将 SSL 证书上传到应用服务时需使用此密码。You'll use this password when uploading your SSL certificate to App Service later.

如果使用 IIS 或 Certreq.exe 生成证书请求,请将证书安装到本地计算机,然后将证书导出为 PFXIf you used IIS or Certreq.exe to generate your certificate request, install the certificate to your local machine, and then export the certificate to PFX.

上传 SSL 证书Upload your SSL certificate

若要上传 SSL 证书,请在 Web 应用的左侧导航窗格中单击“SSL 设置”。To upload your SSL certificate, click SSL settings in the left navigation of your web app.

单击“上传证书”。Click Upload Certificate.

在“PFX 证书文件”中选择 PFX 文件。In PFX Certificate File, select your PFX file. 在“证书密码”中,键入导出 PFX 文件时创建的密码。In Certificate password, type the password that you created when you exported the PFX file.

单击“上传” 。Click Upload.

上传证书

应用服务上传完证书后,该证书会显示在“SSL 设置”页中。When App Service finishes uploading your certificate, it appears in the SSL settings page.

上传的证书

绑定 SSL 证书Bind your SSL certificate

在“SSL 绑定”部分中,单击“添加绑定”。In the SSL bindings section, click Add binding.

在“添加 SSL 绑定”页中,使用下拉列表选择要保护的域名,然后选择要使用的证书。In the Add SSL Binding page, use the dropdowns to select the domain name to secure, and the certificate to use.

备注

如果已上传证书,但未在“主机名”下拉列表中看到域名,请尝试刷新浏览器页面。If you have uploaded your certificate but don't see the domain name(s) in the Hostname dropdown, try refreshing the browser page.

在“SSL 类型”中,选择是要使用服务器名称指示 (SNI) 还是使用基于 IP 的 SSL。In SSL Type, select whether to use Server Name Indication (SNI) or IP-based SSL.

  • 基于 SNI 的 SSL - 可添加多个基于 SNI 的 SSL 绑定。SNI-based SSL - Multiple SNI-based SSL bindings may be added. 选择此选项可以使用多个 SSL 证书来保护同一 IP 地址上的多个域。This option allows multiple SSL certificates to secure multiple domains on the same IP address. 大多数新式浏览器(包括 Internet Explorer、Chrome、Firefox 和 Opera)都支持 SNI(在服务器名称指示中了解更全面的浏览器支持信息)。Most modern browsers (including Internet Explorer, Chrome, Firefox, and Opera) support SNI (find more comprehensive browser support information at Server Name Indication).
  • 基于 IP 的 SSL - 只能添加一个基于 IP 的 SSL 绑定。IP-based SSL - Only one IP-based SSL binding may be added. 选择此选项只能使用一个 SSL 证书来保护专用公共 IP 地址。This option allows only one SSL certificate to secure a dedicated public IP address. 若要保护多个域,必须使用同一个 SSL 证书来保护所有这些域。To secure multiple domains, you must secure them all using the same SSL certificate. 这是 SSL 绑定的传统选项。This is the traditional option for SSL binding.

单击“添加绑定”。Click Add Binding.

绑定 SSL 证书

应用服务上传完证书后,该证书将显示在“SSL 绑定”部分中。When App Service finishes uploading your certificate, it appears in the SSL bindings sections.

证书已绑定到 Web 应用

重新映射 IP SSL 的 A 记录Remap A record for IP SSL

如果不在 Web 应用中使用基于 IP 的 SSL,请跳到针对自定义域测试 HTTPSIf you don't use IP-based SSL in your web app, skip to Test HTTPS for your custom domain.

默认情况下,Web 应用使用共享的公共 IP 地址。By default, your web app uses a shared public IP address. 将证书与基于 IP 的 SSL 绑定时,应用服务会为 Web 应用创建新的专用 IP 地址。When you bind a certificate with IP-based SSL, App Service creates a new, dedicated IP address for your web app.

如果已将 A 记录映射到 Web 应用,请使用这个新的专用 IP 地址更新域注册表。If you have mapped an A record to your web app, update your domain registry with this new, dedicated IP address.

将使用新的专用 IP 地址更新 Web 应用的“自定义域”页。Your web app's Custom domain page is updated with the new, dedicated IP address. 复制此 IP 地址,然后将 A 记录重新映射到此新 IP 地址。Copy this IP address, then remap the A record to this new IP address.

测试 HTTPSTest HTTPS

接下来只需确保 HTTPS 适用于自定义域。All that's left to do now is to make sure that HTTPS works for your custom domain. 在不同的浏览器中浏览到 https://<your.custom.domain>,查看是否能够打开 Web 应用。In various browsers, browse to https://<your.custom.domain> to see that it serves up your web app.

在门户中导航到 Azure 应用

备注

如果 Web 应用显示证书验证错误,可能是因为使用了自签名证书。If your web app gives you certificate validation errors, you're probably using a self-signed certificate.

如果不是这样,可能是在将证书导出为 PFX 文件时遗漏了中间证书。If that's not the case, you may have left out intermediate certificates when you export your certificate to the PFX file.

续订证书Renew certificates

在删除某个绑定时,即使该绑定是基于 IP 的,入站 IP 地址也可能会更改。Your inbound IP address can change when you delete a binding, even if that binding is IP-based. 在续订已进行基于 IP 的绑定的证书时,了解这一点尤为重要。This is especially important when you renew a certificate that's already in an IP-based binding. 若要避免应用的 IP 地址更改,请按顺序执行以下步骤:To avoid a change in your app's IP address, follow these steps in order:

  1. 上传新证书。Upload the new certificate.
  2. 将新证书绑定到所需的自定义域,不要删除旧证书。Bind the new certificate to the custom domain you want without deleting the old one. 此操作替换而不是删除旧的绑定。This action replaces the binding instead of removing the old one.
  3. 删除旧证书。Delete the old certificate.

实施 HTTPSEnforce HTTPS

默认情况下,任何人都仍可使用 HTTP 访问 Web 应用。By default, anyone can still access your web app using HTTP. 可以将所有 HTTP 请求都重定向到 HTTPS 端口。You can redirect all HTTP requests to the HTTPS port.

在 Web 应用页的左侧导航窗格中,选择“SSL 设置”。In your web app page, in the left navigation, select SSL settings. 然后,在“仅 HTTPS”中,选择“启用”。Then, in HTTPS Only, select On.

实施 HTTPS

该操作完成后,将导航到指向应用的任一 HTTP URL。When the operation is complete, navigate to any of the HTTP URLs that point to your app. 例如:For example:

  • http://<app_name>.azurewebsites.net
  • http://contoso.com
  • http://www.contoso.com

强制实施 TLS 版本Enforce TLS versions

应用默认情况下允许 TLS 1.2,这是行业标准(例如 PCI DSS)建议的 TLS 级别。Your app allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. 若要强制实施不同的 TLS 版本,请按照下列步骤操作:To enforce different TLS versions, follow these steps:

在 Web 应用页的左侧导航窗格中,选择“SSL 设置”。In your web app page, in the left navigation, select SSL settings. 然后,在“TLS 版本”中,选择所需的最低 TLS 版本。Then, in TLS version, select the minimum TLS version you want. 此设置仅控制入站调用。This setting controls the inbound calls only.

强制实施 TLS 1.1 或 1.2

该操作完成后,你的应用将拒绝使用更低 TLS 版本的所有连接。When the operation is complete, your app rejects all connections with lower TLS versions.

使用脚本自动化Automate with scripts

可以在 Azure CLIAzure PowerShell 中使用脚本自动完成 Web 应用的 SSL 绑定。You can automate SSL bindings for your web app with scripts, using the Azure CLI or Azure PowerShell.

Azure CLIAzure CLI

以下命令上传已导出的 PFX 文件并获取指纹。The following command uploads an exported PFX file and gets the thumbprint.

thumbprint=$(az webapp config ssl upload \
    --name <app_name> \
    --resource-group <resource_group_name> \
    --certificate-file <path_to_PFX_file> \
    --certificate-password <PFX_password> \
    --query thumbprint \
    --output tsv)

以下命令使用前一命令获取的指纹添加基于 SNI 的 SSL 绑定。The following command adds an SNI-based SSL binding, using the thumbprint from the previous command.

az webapp config ssl bind \
    --name <app_name> \
    --resource-group <resource_group_name>
    --certificate-thumbprint $thumbprint \
    --ssl-type SNI \

以下命令强制实施最低的 TLS 版本 (1.2)。The following command enforces minimum TLS version of 1.2.

az webapp config set \
    --name <app_name> \
    --resource-group <resource_group_name>
    --min-tls-version 1.2

Azure PowerShellAzure PowerShell

以下命令上传已导出的 PFX 文件并添加基于 SNI 的 SSL 绑定。The following command uploads an exported PFX file and adds an SNI-based SSL binding.

New-AzureRmWebAppSSLBinding `
    -WebAppName <app_name> `
    -ResourceGroupName <resource_group_name> `
    -Name <dns_name> `
    -CertificateFilePath <path_to_PFX_file> `
    -CertificatePassword <PFX_password> `
    -SslState SniEnabled

公用证书(可选)Public certificates (optional)

可以将公用证书上传到 Web 应用,使该应用能够访问需要证书身份验证的外部服务。You can upload public certificates to your web app so the app can access an external service that requires certificate authentication. 若要更详细地了解如何在应用中加载和使用公用证书,请参阅在 Azure 应用服务的应用程序代码中使用 SSL 证书For more details on loading and using a public certificate in your app, see Use an SSL certificate in your application code in Azure App Service. 还可以对应用服务环境中的应用使用公用证书。You can use public certificates with apps in App Service Environments also. 若要将证书存储在 LocalMachine 证书存储中,需要在应用服务环境中使用 Web 应用。If you need to store the certificate in the LocalMachine certificate store, you need to use a web app on App Service Environment. 有关详细信息,请参阅如何将公用证书配置到 Web 应用For more information, see How to configure public certificates to your Web App.

上传公用证书

后续步骤Next steps

本教程介绍了如何:In this tutorial, you learned how to:

  • 升级应用的定价层Upgrade your app's pricing tier
  • 将自定义证书绑定到应用服务Bind your custom certificate to App Service
  • 续订证书Renew certificates
  • 实施 HTTPSEnforce HTTPS
  • 强制实施 TLS 1.1/1.2Enforce TLS 1.1/1.2
  • 使用脚本自动完成 TLS 管理Automate TLS management with scripts

继续学习下一教程,了解如何使用 Azure 内容分发网络。Advance to the next tutorial to learn how to use Azure Content Delivery Network.

有关详细信息,请参阅在 Azure 应用服务的应用程序代码中使用 SSL 证书For more information, see Use an SSL certificate in your application code in Azure App Service.