您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

在 Azure 应用服务中添加 TLS/SSL 证书Add a TLS/SSL certificate in Azure App Service

Azure 应用服务提供高度可缩放、自修复的 Web 托管服务。Azure App Service provides a highly scalable, self-patching web hosting service. 本文介绍如何创建私有证书或公用证书,或将其上传或导入到应用服务中。This article shows you how to create, upload, or import a private certificate or a public certificate into App Service.

将证书添加到应用服务应用或函数应用后,即可使用它来保护自定义 DNS 名称在应用程序代码中使用它Once the certificate is added to your App Service app or function app, you can secure a custom DNS name with it or use it in your application code.

备注

上传到应用的证书存储在与该应用的资源组和区域组合(内部称为网络空间)绑定的部署单元中。A certificate uploaded into an app is stored in a deployment unit that is bound to the app's resource group and region combination (internally called a webspace). 这使得相应证书可供相同资源组和区域组合中的其他应用访问。This makes the certificate accessible to other apps in the same resource group and region combination.

下表列出了用于在应用服务中添加证书的选项:The following table lists the options you have for adding certificates in App Service:

选项Option 说明Description
创建免费应用服务托管证书(预览版)Create a free App Service Managed Certificate (Preview) 如果只需保护 www 自定义域或应用服务中的任何非裸域,则可以轻松使用私有证书。A private certificate that's easy to use if you just need to secure your www custom domain or any non-naked domain in App Service.
购买应用服务证书Purchase an App Service certificate 由 Azure 管理的私有证书。A private certificate that's managed by Azure. 它结合了自动化证书管理的简单性以及续订和导出选项的灵活性。It combines the simplicity of automated certificate management and the flexibility of renewal and export options.
导入来自 Key Vault 的证书Import a certificate from Key Vault 这在使用 Azure Key Vault 管理 PKCS12 证书时很有用。Useful if you use Azure Key Vault to manage your PKCS12 certificates. 请参阅私有证书要求See Private certificate requirements.
上传私有证书Upload a private certificate 如果你已有第三方提供商提供的私有证书,则可以上传它。If you already have a private certificate from a third-party provider, you can upload it. 请参阅私有证书要求See Private certificate requirements.
上传公用证书Upload a public certificate 公用证书不用于保护自定义域,但可以将其加载到代码中(如果需要它们来访问远程资源)。Public certificates are not used to secure custom domains, but you can load them into your code if you need them to access remote resources.

先决条件Prerequisites

按照本操作方法指南操作:To follow this how-to guide:

私有证书要求Private certificate requirements

备注

Azure Web 应用 支持 AES256,并且所有 pfx 文件都应使用 TripleDES 进行加密。Azure Web Apps does not support AES256 and all pfx files should be encrypted with TripleDES.

免费应用服务托管证书应用服务证书已满足应用服务的要求。The free App Service Managed Certificate or the App Service certificate already satisfy the requirements of App Service. 如果选择将私有证书上传或导入到应用服务,则证书必须满足以下要求:If you choose to upload or import a private certificate to App Service, your certificate must meet the following requirements:

若要保护 TLS 绑定中的自定义域,证书还有其他要求:To secure a custom domain in a TLS binding, the certificate has additional requirements:

  • 包含用于服务器身份验证的扩展密钥用法 (OID = 1.3.6.1.5.5.7.3.1)Contains an Extended Key Usage for server authentication (OID = 1.3.6.1.5.5.7.3.1)
  • 已由受信任的证书颁发机构签名Signed by a trusted certificate authority

备注

椭圆曲线加密 (ECC) 证书可用于应用服务,但本文不予讨论。Elliptic Curve Cryptography (ECC) certificates can work with App Service but are not covered by this article. 请咨询证书颁发机构,了解有关创建 ECC 证书的确切步骤。Work with your certificate authority on the exact steps to create ECC certificates.

准备 Web 应用Prepare your web app

若要为应用服务应用创建自定义 TLS/SSL 绑定或启用客户端证书,应用服务计划必须位于“基本”、“标准”、“高级”或“独立”层级 。To create custom TLS/SSL bindings or enable client certificates for your App Service app, your App Service plan must be in the Basic, Standard, Premium, or Isolated tier. 在此步骤中,请确保 Web 应用位于受支持的定价层。In this step, you make sure that your web app is in the supported pricing tier.

登录 AzureSign in to Azure

打开 Azure 门户Open the Azure portal.

搜索并选择“应用服务”。 Search for and select App Services.

选择应用服务

在“应用服务”页上,选择 Web 应用的名称 。On the App Services page, select the name of your web app.

Azure 门户中应用服务页面的屏幕截图,其中显示一个包含所有正在运行的 Web 应用的列表,且突出显示了列表中的第一个应用。

你已登录到 Web 应用的管理页。You have landed on the management page of your web app.

检查定价层Check the pricing tier

在 Web 应用页的左侧导航窗格中,滚动到“设置” 部分,然后选择“增加(应用服务计划)” 。In the left-hand navigation of your web app page, scroll to the Settings section and select Scale up (App Service plan).

扩展菜单

检查以确保 Web 应用不在 F1D1 层中。Check to make sure that your web app is not in the F1 or D1 tier. 深蓝色的框突出显示了 Web 应用的当前层。Your web app's current tier is highlighted by a dark blue box.

检查定价层

F1D1 层不支持自定义 SSL。Custom SSL is not supported in the F1 or D1 tier. 如果需要增加,请按照下一部分中的步骤进行操作。If you need to scale up, follow the steps in the next section. 否则,请关闭“纵向扩展” 页,并跳过纵向扩展应用服务计划部分。Otherwise, close the Scale up page and skip the Scale up your App Service plan section.

纵向扩展应用服务计划Scale up your App Service plan

选择任何非免费层(B1B2B3,或“生产” 类别中的任何层)。Select any of the non-free tiers (B1, B2, B3, or any tier in the Production category). 有关其他选项,请单击“查看其他选项” 。For additional options, click See additional options.

单击“应用” 。Click Apply.

选择定价层

看到以下通知时,说明缩放操作已完成。When you see the following notification, the scale operation is complete.

扩展通知

创建免费证书(预览版)Create a free certificate (Preview)

免费应用服务托管证书是用于保护应用服务中的自定义 DNS 名称的统包解决方案。The free App Service Managed Certificate is a turn-key solution for securing your custom DNS name in App Service. 它是一个功能完备的 TLS/SSL 证书,由应用服务管理并自动续订。It's a fully functional TLS/SSL certificate that's managed by App Service and renewed automatically. 免费证书具有以下限制:The free certificate comes with the following limitations:

  • 不支持通配符证书。Does not support wildcard certificates.
  • 不支持裸域。Does not support naked domains.
  • 不可导出。Is not exportable.
  • 应用服务环境 (ASE) 不支持Is not supported on App Service Environment (ASE)
  • 不支持 A 记录。Does not support A records. 例如,自动续订不适用于 A 记录。For example, automatic renewal doesn't work with A records.

备注

免费证书是由 DigiCert 颁发的。The free certificate is issued by DigiCert. 对于某些顶级域,必须通过创建值为 0 issue digicert.comCAA 域记录显式允许 DigiCert 作为证书颁发者。For some top-level domains, you must explicitly allow DigiCert as a certificate issuer by creating a CAA domain record with the value: 0 issue digicert.com.

若要创建免费应用服务托管证书,请执行以下操作:To create a free App Service Managed Certificate:

Azure 门户的左侧菜单中,选择“应用程序服务” > “<app-name>” 。In the Azure portal, from the left menu, select App Services > <app-name>.

在应用的左侧导航窗格中,选择“TLS/SSL 设置” > “私钥证书(.pfx)” > “创建应用服务托管证书” 。From the left navigation of your app, select TLS/SSL settings > Private Key Certificates (.pfx) > Create App Service Managed Certificate.

在应用服务中创建免费证书

对话框中列出了使用 CNAME 记录正确映射到应用的任何非裸域。Any non-naked domain that's properly mapped to your app with a CNAME record is listed in the dialog. 选择要为其创建免费证书的自定义域,然后选择“创建”。Select the custom domain to create a free certificate for and select Create. 只能为每个受支持的自定义域创建一个证书。You can create only one certificate for each supported custom domain.

操作完成后,会在“私钥证书”列表中看到该证书。When the operation completes, you see the certificate in the Private Key Certificates list.

创建免费证书已完成

重要

若要使用此证书保护自定义域,仍需要创建证书绑定。To secure a custom domain with this certificate, you still need to create a certificate binding. 按照创建绑定中的步骤操作。Follow the steps in Create binding.

导入应用服务证书Import an App Service Certificate

如果从 Azure 购买应用服务证书,Azure 将管理以下任务:If you purchase an App Service Certificate from Azure, Azure manages the following tasks:

  • 负责 GoDaddy 的购买流程。Takes care of the purchase process from GoDaddy.
  • 对证书执行域验证。Performs domain verification of the certificate.
  • 将证书保留在 Azure Key Vault 中。Maintains the certificate in Azure Key Vault.
  • 管理证书续订(请参阅续订证书)。Manages certificate renewal (see Renew certificate).
  • 在应用服务应用中自动将证书与导入的副本同步。Synchronize the certificate automatically with the imported copies in App Service apps.

若要购买应用服务证书,请转到启动证书申请To purchase an App Service certificate, go to Start certificate order.

如果你已有一个有效的应用服务证书,则可以:If you already have a working App Service certificate, you can:

备注

目前,Azure 国家云不支持应用服务证书。App Service Certificates are not supported in Azure National Clouds at this time.

启动证书申请Start certificate order

应用服务证书创建页启动应用服务证书申请。Start an App Service certificate order in the App Service Certificate create page.

启动应用服务证书购买

使用下表来帮助配置证书。Use the following table to help you configure the certificate. 完成后,单击“创建”。When finished, click Create.

设置Setting 说明Description
名称Name 应用服务证书证书的友好名称。A friendly name for your App Service certificate.
裸域主机名Naked Domain Host Name 在此处指定根域。Specify the root domain here. 颁发的证书可同时保护根域和 www 子域。The issued certificate secures both the root domain and the www subdomain. 在颁发的证书中,“公用名”字段包含根域,“使用者可选名称”字段包含 www 域。In the issued certificate, the Common Name field contains the root domain, and the Subject Alternative Name field contains the www domain. 若要仅保护子域,请在此处指定子域的完全限定域名(例如,mysubdomain.contoso.com)。To secure any subdomain only, specify the fully qualified domain name of the subdomain here (for example, mysubdomain.contoso.com).
订阅Subscription 将包含证书的订阅。The subscription that will contain the certificate.
资源组Resource group 将包含证书的资源组。The resource group that will contain the certificate. 例如,可以使用新资源组,或选择与应用服务应用相同的资源组。You can use a new resource group or select the same resource group as your App Service app, for example.
证书 SKUCertificate SKU 确定要创建的证书类型是标准证书还是通配符证书Determines the type of certificate to create, whether a standard certificate or a wildcard certificate.
法律条款Legal Terms 单击以确认你同意法律条款。Click to confirm that you agree with the legal terms. 证书是从 GoDaddy 获取的。The certificates are obtained from GoDaddy.

备注

从 Azure 购买的应用服务证书由 GoDaddy 颁发。App Service Certificates purchased from Azure are issued by GoDaddy. 对于某些顶级域,必须通过创建值为 0 issue godaddy.comCAA 域记录显式允许 GoDaddy 作为证书颁发者For some top-level domains, you must explicitly allow GoDaddy as a certificate issuer by creating a CAA domain record with the value: 0 issue godaddy.com

存储在 Azure Key Vault 中Store in Azure Key Vault

证书购买过程完成后,还需完成其他一些步骤才可开始使用此证书。Once the certificate purchase process is complete, there are few more steps you need to complete before you can start using this certificate.

选择应用服务证书页中的证书,然后单击“证书配置” > “步骤 1: 存储”。Select the certificate in the App Service Certificates page, then click Certificate Configuration > Step 1: Store.

配置应用服务证书的 Key Vault 存储

Key Vault 是一项 Azure 服务,可帮助保护云应用程序和服务使用的加密密钥和机密。Key Vault is an Azure service that helps safeguard cryptographic keys and secrets used by cloud applications and services. 它是为应用服务证书所选的存储。It's the storage of choice for App Service certificates.

在“Key Vault 状态”页,单击“Key Vault 存储库”以创建新的保管库或选择现有保管库 。In the Key Vault Status page, click Key Vault Repository to create a new vault or choose an existing vault. 如果选择创建新的保管库,请使用下表以帮助配置保管库,然后单击“创建”。If you choose to create a new vault, use the following table to help you configure the vault and click Create. 在应用服务应用所在的订阅和资源组中创建新 Key Vault。Create the new Key Vault inside the same subscription and resource group as your App Service app.

设置Setting 说明Description
名称Name 由字母数字字符和短划线组成的唯一名称。A unique name that consists for alphanumeric characters and dashes.
资源组Resource group 建议选择与应用服务证书相同的资源组。As a recommendation, select the same resource group as your App Service certificate.
位置Location 选择与应用服务应用相同的位置。Select the same location as your App Service app.
定价层Pricing tier 有关信息,请参阅 Azure Key Vault 定价详细信息For information, see Azure Key Vault pricing details.
访问策略Access policies 定义应用程序和对保管库资源允许的访问权限。Defines the applications and the allowed access to the vault resources. 可以稍后按照分配密钥保管库访问策略中的步骤进行配置。You can configure it later, following the steps at Assign a Key Vault access policy.
虚拟网络访问Virtual Network Access 限制为仅特定 Azure 虚拟网络具有保管库访问权限。Restrict vault access to certain Azure virtual networks. 可以稍后配置,请按照配置 Azure Key Vault 防火墙和虚拟网络的步骤进行操作。You can configure it later, following the steps at Configure Azure Key Vault Firewalls and Virtual Networks

选择保管库后,关闭“Key Vault 存储库”页面。Once you've selected the vault, close the Key Vault Repository page. “步骤1:存储”选项应显示绿色复选标记表示成功。The Step 1: Store option should show a green check mark for success. 保持页面处于打开状态,执行下一步骤。Keep the page open for the next step.

验证域所有权Verify domain ownership

在上一步中所用的同一“证书配置”页中,单击“步骤 2: 验证”。From the same Certificate Configuration page you used in the last step, click Step 2: Verify.

验证应用服务证书的域

选择“应用服务验证”。Select App Service Verification. 由于已将域映射到 Web 应用(请参阅先决条件),所以验证已经执行。Since you already mapped the domain to your web app (see Prerequisites), it's already verified. 只需单击“验证”来完成此步骤。Just click Verify to finish this step. 单击“刷新”按钮,直到显示“证书为域已验证”消息。Click the Refresh button until the message Certificate is Domain Verified appears.

备注

支持四种类型的域验证方法:Four types of domain verification methods are supported:

  • 应用服务验证 - 当域已映射到同一订阅中的应用服务应用时,这是最方便的选项。App Service - The most convenient option when the domain is already mapped to an App Service app in the same subscription. 它可利用应用服务应用已验证域所有权这一事实。It takes advantage of the fact that the App Service app has already verified the domain ownership.
  • - 验证 从 Azure 购买的应用服务域Domain - Verify an App Service domain that you purchased from Azure. Azure 会自动为你添加验证 TXT 记录,并完成该过程。Azure automatically adds the verification TXT record for you and completes the process.
  • 邮件 - 通过向域管理员发送电子邮件来验证域。Mail - Verify the domain by sending an email to the domain administrator. 选择此选项时会提供相应说明。Instructions are provided when you select the option.
  • 手动 - 使用 HTML 页(仅标准证书)或 DNS TXT 记录验证域。Manual - Verify the domain using either an HTML page (Standard certificate only) or a DNS TXT record. 选择此选项时会提供相应说明。Instructions are provided when you select the option.

将证书导入到应用服务中Import certificate into App Service

Azure 门户的左侧菜单中,选择“应用程序服务” > “<app-name>” 。In the Azure portal, from the left menu, select App Services > <app-name>.

在应用的左侧导航窗格中,选择“TLS/SSL 设置” > “私钥证书(.pfx)” > “导入应用服务证书” 。From the left navigation of your app, select TLS/SSL settings > Private Key Certificates (.pfx) > Import App Service Certificate.

将应用服务证书导入到应用服务中

选择刚刚购买的证书,然后选择“确定”。Select the certificate that you just purchased and select OK.

操作完成后,会在“私钥证书”列表中看到该证书。When the operation completes, you see the certificate in the Private Key Certificates list.

导入应用服务证书已完成

重要

若要使用此证书保护自定义域,仍需要创建证书绑定。To secure a custom domain with this certificate, you still need to create a certificate binding. 按照创建绑定中的步骤操作。Follow the steps in Create binding.

导入来自 Key Vault 的证书Import a certificate from Key Vault

如果使用 Azure Key Vault 管理证书,则可以将 PKCS12 证书从 Key Vault 导入到应用服务中,前提是该证书满足要求If you use Azure Key Vault to manage your certificates, you can import a PKCS12 certificate from Key Vault into App Service as long as it satisfies the requirements.

授权应用服务读取保管库Authorize App Service to read from the vault

默认情况下,应用服务资源提供程序无权访问 Key Vault。By default, the App Service resource provider doesn’t have access to the Key Vault. 若要将 Key Vault 用于证书部署,需要授权资源提供程序对 KeyVault 的读取访问权限In order to use a Key Vault for a certificate deployment, you need to authorize the resource provider read access to the KeyVault.

abfa0a7c-a6b6-4736-8310-5855508787cd 是应用服务的资源提供程序服务主体名称,并且对于所有 Azure 订阅都是相同的。abfa0a7c-a6b6-4736-8310-5855508787cd is the resource provider service principal name for App Service, and it's the same for all Azure subscriptions. 对于 Azure 政府云环境,请改用 6a02c803-dafd-4136-b4c3-5a6f318b4714 作为资源提供程序服务主体名称。For Azure Government cloud environment, use 6a02c803-dafd-4136-b4c3-5a6f318b4714 instead as the resource provider service principal name.

将保管库中的证书导入到应用Import a certificate from your vault to your app

Azure 门户的左侧菜单中,选择“应用程序服务” > “<app-name>” 。In the Azure portal, from the left menu, select App Services > <app-name>.

在应用的左侧导航窗格中,选择“TLS/SSL 设置” > “私钥证书(.pfx)” > “导入 Key Vault 证书” 。From the left navigation of your app, select TLS/SSL settings > Private Key Certificates (.pfx) > Import Key Vault Certificate.

将 Key Vault 证书导入到应用服务中

使用下表来帮助选择证书。Use the following table to help you select the certificate.

设置Setting 说明Description
订阅Subscription Key Vault 所属的订阅。The subscription that the Key Vault belongs to.
密钥保管库Key Vault 包含要导入的证书的保管库。The vault with the certificate you want to import.
证书Certificate 从保管库中的 PKCS12 证书列表中进行选择。Select from the list of PKCS12 certificates in the vault. 保管库中的所有 PKCS12 证书都已通过其指纹列出,但在应用服务中并非支持所有证书。All PKCS12 certificates in the vault are listed with their thumbprints, but not all are supported in App Service.

操作完成后,会在“私钥证书”列表中看到该证书。When the operation completes, you see the certificate in the Private Key Certificates list. 如果导入失败并出现错误,则证书不满足应用服务的要求If the import fails with an error, the certificate doesn't meet the requirements for App Service.

导入 Key Vault 证书已完成

备注

如果使用新证书更新 Key Vault 中的证书,应用服务会在 48 小时内自动同步证书。If you update your certificate in Key Vault with a new certificate, App Service automatically syncs your certificate within 48 hours.

重要

若要使用此证书保护自定义域,仍需要创建证书绑定。To secure a custom domain with this certificate, you still need to create a certificate binding. 按照创建绑定中的步骤操作。Follow the steps in Create binding.

上传私有证书Upload a private certificate

从证书提供者处获得证书以后,请执行此部分的步骤,使证书可供应用服务使用。Once you obtain a certificate from your certificate provider, follow the steps in this section to make it ready for App Service.

合并中间证书Merge intermediate certificates

如果证书颁发机构在证书链中提供了多个证书,则需按顺序合并证书。If your certificate authority gives you multiple certificates in the certificate chain, you need to merge the certificates in order.

若要执行此操作,请在文本编辑器中打开收到的所有证书。To do this, open each certificate you received in a text editor.

创建名为 mergedcertificate.crt 的合并证书文件。Create a file for the merged certificate, called mergedcertificate.crt. 在文本编辑器中,将每个证书的内容复制到此文件。In a text editor, copy the content of each certificate into this file. 证书的顺序应遵循证书链中的顺序,以你的证书开头,以根证书结尾,The order of your certificates should follow the order in the certificate chain, beginning with your certificate and ending with the root certificate. 如以下示例所示:It looks like the following example:

-----BEGIN CERTIFICATE-----
<your entire Base64 encoded SSL certificate>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded intermediate certificate 1>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded intermediate certificate 2>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded root certificate>
-----END CERTIFICATE-----

将证书导出为 PFXExport certificate to PFX

使用在生成证书请求时所用的私钥导出合并的 TLS/SSL 证书。Export your merged TLS/SSL certificate with the private key that your certificate request was generated with.

如果使用 OpenSSL 生成证书请求,则已创建私钥文件。If you generated your certificate request using OpenSSL, then you have created a private key file. 若要将证书导出为 PFX,请运行以下命令。To export your certificate to PFX, run the following command. 将占位符 <private-key-file><merged-certificate-file> 分别替换为私钥和合并证书文件的路径。Replace the placeholders <private-key-file> and <merged-certificate-file> with the paths to your private key and your merged certificate file.

openssl pkcs12 -export -out myserver.pfx -inkey <private-key-file> -in <merged-certificate-file>  

出现提示时,定义导出密码。When prompted, define an export password. 稍后将 TLS/SSL 证书上传到应用服务时要使用此密码。You'll use this password when uploading your TLS/SSL certificate to App Service later.

如果使用 IIS 或 Certreq.exe 生成证书请求,请将证书安装到本地计算机,然后将证书导出为 PFXIf you used IIS or Certreq.exe to generate your certificate request, install the certificate to your local machine, and then export the certificate to PFX.

将证书上传到应用服务Upload certificate to App Service

现在可以将证书上传到应用服务了。You're now ready upload the certificate to App Service.

Azure 门户的左侧菜单中,选择“应用程序服务” > “<app-name>” 。In the Azure portal, from the left menu, select App Services > <app-name>.

在应用的左侧导航窗格中,选择“TLS/SSL 设置” > “私钥证书(.pfx)” > “上载证书” 。From the left navigation of your app, select TLS/SSL settings > Private Key Certificates (.pfx) > Upload Certificate.

将私有证书上传到应用服务中

在“PFX 证书文件”中选择 PFX 文件。In PFX Certificate File, select your PFX file. 在“证书密码”中,键入导出 PFX 文件时创建的密码。In Certificate password, type the password that you created when you exported the PFX file. 完成后,单击“上传”。When finished, click Upload.

操作完成后,会在“私钥证书”列表中看到该证书。When the operation completes, you see the certificate in the Private Key Certificates list.

上传证书文件已完成

重要

若要使用此证书保护自定义域,仍需要创建证书绑定。To secure a custom domain with this certificate, you still need to create a certificate binding. 按照创建绑定中的步骤操作。Follow the steps in Create binding.

上传公用证书Upload a public certificate

支持使用 .cer 格式的公用证书。Public certificates are supported in the .cer format.

Azure 门户的左侧菜单中,选择“应用程序服务” > “<app-name>” 。In the Azure portal, from the left menu, select App Services > <app-name>.

在应用的左侧导航窗格中,单击“TLS/SSL 设置” > “公用证书(.cer)” > “上传公钥证书” 。From the left navigation of your app, click TLS/SSL settings > Public Certificates (.cer) > Upload Public Key Certificate.

在“名称”中,键入证书的名称。In Name, type a name for the certificate. 在“CER 证书文件”中,选择 CER 文件。In CER Certificate file, select your CER file.

单击“上载” 。Click Upload.

将公用证书上传到应用服务中

上传证书后,复制证书指纹并检查是否使证书可访问Once the certificate is uploaded, copy the certificate thumbprint and see Make the certificate accessible.

管理应用服务证书Manage App Service certificates

本部分介绍如何管理在导入应用服务证书中购买的应用服务证书。This section shows you how to manage an App Service certificate you purchased in Import an App Service certificate.

为证书重新生成密钥Rekey certificate

如果你认为证书的私钥已泄露,则可以为证书重新生成密钥。If you think your certificate's private key is compromised, you can rekey your certificate. 选择应用服务证书页的证书,然后选择左侧导航窗格的“重新生成密钥和同步”。Select the certificate in the App Service Certificates page, then select Rekey and Sync from the left navigation.

单击“重新生成密钥”以启动该过程。Click Rekey to start the process. 此过程需要 1 - 10 分钟才能完成。This process can take 1-10 minutes to complete.

为应用服务证书重新生成密钥

通过重新生成证书的密钥,将使用证书颁发机构颁发的新证书滚动更新现有证书。Rekeying your certificate rolls the certificate with a new certificate issued from the certificate authority.

重新生成密钥操作完成后,单击“同步”。同步操作会自动更新应用服务中证书的主机名绑定,而不会导致应用停机。Once the rekey operation is complete, click Sync. The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

备注

如果未单击“同步”,应用服务会在 48 小时内自动同步证书。If you don't click Sync, App Service automatically syncs your certificate within 48 hours.

续订证书Renew certificate

若要在任何时候启用证书自动续订,请选择应用服务证书页面中的证书,然后单击左侧导航窗格的“自动续订设置”。To turn on automatic renewal of your certificate at any time, select the certificate in the App Service Certificates page, then click Auto Renew Settings in the left navigation. 默认情况下,应用服务证书具有一年的有效期。By default, App Service Certificates have a one-year validity period.

选择“开”,然后单击“保存”。Select On and click Save. 如果启用了自动续订,则证书会在到期前 60 天自动续订。Certificates can start automatically renewing 60 days before expiration if you have automatic renewal turned on.

自动续订应用服务证书

若要改为手动续订证书,请单击“手动续订”。To manually renew the certificate instead, click Manual Renew. 可以请求在到期前 60 天手动续订证书。You can request to manually renew your certificate 60 days before expiration.

续订操作完成后,单击“同步”。同步操作会自动更新应用服务中证书的主机名绑定,而不会导致应用停机。Once the renew operation is complete, click Sync. The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

备注

如果未单击“同步”,应用服务会在 48 小时内自动同步证书。If you don't click Sync, App Service automatically syncs your certificate within 48 hours.

导出证书Export certificate

由于应用服务证书是 Key Vault 机密,因此可以导出该证书的 PFX 副本,并将其用于其他 Azure 服务或 Azure 之外的服务。Because an App Service Certificate is a Key Vault secret, you can export a PFX copy of it and use it for other Azure services or outside of Azure.

若要将应用服务证书导出为 PFX 文件,请在 Cloud Shell 中运行以下命令。To export the App Service Certificate as a PFX file, run the following commands in the Cloud Shell. 如果已安装 Azure CLI,则还可以在本地运行该命令。You can also run it locally if you installed Azure CLI. 将占位符替换为创建应用服务证书时使用的名称。Replace the placeholders with the names you used when you created the App Service certificate.

secretname=$(az resource show \
    --resource-group <group-name> \
    --resource-type "Microsoft.CertificateRegistration/certificateOrders" \
    --name <app-service-cert-name> \
    --query "properties.certificates.<app-service-cert-name>.keyVaultSecretName" \
    --output tsv)

az keyvault secret download \
    --file appservicecertificate.pfx \
    --vault-name <key-vault-name> \
    --name $secretname \
    --encoding base64

下载的 appservicecertificate.pfx 文件是一个原始 PKCS12 文件,其中包含公用证书和私有证书。The downloaded appservicecertificate.pfx file is a raw PKCS12 file that contains both the public and private certificates. 在每个提示中,针对导入密码和 PEM 密码使用空字符串。In each prompt, use an empty string for the import password and the PEM pass phrase.

删除证书Delete certificate

删除应用服务证书是最终且不可逆的。Deletion of an App Service certificate is final and irreversible. 删除应用服务证书资源会导致证书被撤销。Deletion of a App Service Certificate resource results in the certificate being revoked. 此证书的任何应用服务绑定都将变得无效。Any binding in App Service with this certificate becomes invalid. 为了防止意外删除,Azure 在证书上放置锁定。To prevent accidental deletion, Azure puts a lock on the certificate. 若要删除应用服务证书,必须先删除证书上的删除锁定。To delete an App Service certificate, you must first remove the delete lock on the certificate.

选择应用服务证书页的证书,然后选择左侧导航窗格的“锁”。Select the certificate in the App Service Certificates page, then select Locks in the left navigation.

查找证书上锁定类型为“删除”的锁定。Find the lock on your certificate with the lock type Delete. 在该锁定右侧,选择“删除”。To the right of it, select Delete.

应用服务证书的删除锁定

现在,你可以删除应用服务证书。Now you can delete the App Service certificate. 在左侧导航窗格中选择“概述” > “删除”。From the left navigation, select Overview > Delete. 在确认对话框中,键入证书名称并选择“确定”。In the confirmation dialog, type the certificate name and select OK.

使用脚本自动化Automate with scripts

Azure CLIAzure CLI

#!/bin/bash

fqdn=<replace-with-www.{yourdomain}>
pfxPath=<replace-with-path-to-your-.PFX-file>
pfxPassword=<replace-with-your=.PFX-password>
resourceGroup=myResourceGroup
webappname=mywebapp$RANDOM

# Create a resource group.
az group create --location westeurope --name $resourceGroup

# Create an App Service plan in Basic tier (minimum required by custom domains).
az appservice plan create --name $webappname --resource-group $resourceGroup --sku B1

# Create a web app.
az webapp create --name $webappname --resource-group $resourceGroup \
--plan $webappname

echo "Configure a CNAME record that maps $fqdn to $webappname.azurewebsites.net"
read -p "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Map your prepared custom domain name to the web app.
az webapp config hostname add --webapp-name $webappname --resource-group $resourceGroup \
--hostname $fqdn

# Upload the SSL certificate and get the thumbprint.
thumbprint=$(az webapp config ssl upload --certificate-file $pfxPath \
--certificate-password $pfxPassword --name $webappname --resource-group $resourceGroup \
--query thumbprint --output tsv)

# Binds the uploaded SSL certificate to the web app.
az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI \
--name $webappname --resource-group $resourceGroup

echo "You can now browse to https://$fqdn"

PowerShellPowerShell

$fqdn="<Replace with your custom domain name>"
$pfxPath="<Replace with path to your .PFX file>"
$pfxPassword="<Replace with your .PFX password>"
$webappname="mywebapp$(Get-Random)"
$location="West Europe"

# Create a resource group.
New-AzResourceGroup -Name $webappname -Location $location

# Create an App Service plan in Free tier.
New-AzAppServicePlan -Name $webappname -Location $location `
-ResourceGroupName $webappname -Tier Free

# Create a web app.
New-AzWebApp -Name $webappname -Location $location -AppServicePlan $webappname `
-ResourceGroupName $webappname

Write-Host "Configure a CNAME record that maps $fqdn to $webappname.azurewebsites.net"
Read-Host "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Upgrade App Service plan to Basic tier (minimum required by custom SSL certificates)
Set-AzAppServicePlan -Name $webappname -ResourceGroupName $webappname `
-Tier Basic

# Add a custom domain name to the web app. 
Set-AzWebApp -Name $webappname -ResourceGroupName $webappname `
-HostNames @($fqdn,"$webappname.azurewebsites.net")

# Upload and bind the SSL certificate to the web app.
New-AzWebAppSSLBinding -WebAppName $webappname -ResourceGroupName $webappname -Name $fqdn `
-CertificateFilePath $pfxPath -CertificatePassword $pfxPassword -SslState SniEnabled

更多资源More resources