在 Azure App Service 中新增 TLS/SSL 憑證Add a TLS/SSL certificate in Azure App Service

Azure App Service 可提供可高度擴充、自我修復的 Web 主控服務。Azure App Service provides a highly scalable, self-patching web hosting service. 本文說明如何將私人憑證或公開憑證建立、上傳或匯入到 App Service。This article shows you how to create, upload, or import a private certificate or a public certificate into App Service.

一旦將憑證新增至您的 App Service 應用程式或函數應用程式後,您就可以使用它來保護自訂 DNS 名稱,或用於應用程式程式碼中Once the certificate is added to your App Service app or function app, you can secure a custom DNS name with it or use it in your application code.

下表列出您在 App Service 中所擁有可新增憑證的選項:The following table lists the options you have for adding certificates in App Service:

選項Option 描述Description
建立免費 App Service 受控憑證 (預覽)Create a free App Service Managed Certificate (Preview) 如果您只需要保護 www 自訂網域或 App Service 中的任何非裸網域時,此為您可輕鬆使用的私人憑證。A private certificate that's easy to use if you just need to secure your www custom domain or any non-naked domain in App Service.
購買 App Service 憑證Purchase an App Service certificate 此為由 Azure 管理的私人憑證。A private certificate that's managed by Azure. 它具有自動化憑證管理的簡易性,並兼具更新和匯出選項的彈性。It combines the simplicity of automated certificate management and the flexibility of renewal and export options.
從金鑰保存庫匯入憑證Import a certificate from Key Vault 如果您使用 Azure Key Vault 管理您的 PKCS12 憑證,這會很有用。Useful if you use Azure Key Vault to manage your PKCS12 certificates. 請參閱私人憑證需求See Private certificate requirements.
上傳私人憑證Upload a private certificate 如果您已經有協力廠商提供者的私人憑證,您可以將該憑證上傳。If you already have a private certificate from a third-party provider, you can upload it. 請參閱私人憑證需求See Private certificate requirements.
上傳公開憑證Upload a public certificate 公開憑證無法用來保護自訂網域,但如果您需要公開憑證來存取遠端資源,則可將公開憑證載入程式碼中。Public certificates are not used to secure custom domains, but you can load them into your code if you need them to access remote resources.

必要條件Prerequisites

若要遵循本操作說明指南:To follow this how-to guide:

私人憑證需求Private certificate requirements

注意

Azure Web Apps 支援 AES256,且所有 pfx 檔案都應該使用 TripleDES 加密。Azure Web Apps does not support AES256 and all pfx files should be encrypted with TripleDES.

免費 App Service 受控憑證App Service 憑證已經符合 App Service 的需求。The free App Service Managed Certificate or the App Service certificate already satisfy the requirements of App Service. 如果您選擇將私人憑證上傳或匯入至 App Service,您的憑證就必須符合下列需求:If you choose to upload or import a private certificate to App Service, your certificate must meet the following requirements:

若要保護 TLS 繫結中的自訂網域,則憑證有額外的需求:To secure a custom domain in a TLS binding, the certificate has additional requirements:

  • 包含伺服器驗證的擴充金鑰使用方法 (OID = 1.3.6.1.5.5.7.3.1)Contains an Extended Key Usage for server authentication (OID = 1.3.6.1.5.5.7.3.1)
  • 由受信任的憑證授權單位簽署Signed by a trusted certificate authority

注意

橢圓曲線密碼編譯 (ECC) 憑證可搭配 App Service 使用,但不在本文討論範圍內。Elliptic Curve Cryptography (ECC) certificates can work with App Service but are not covered by this article. 請洽詢您的憑證授權單位,了解建立 ECC 憑證的確切步驟。Work with your certificate authority on the exact steps to create ECC certificates.

準備您的 Web 應用程式Prepare your web app

若要為您的 App Service 應用程式建立自訂安全性繫結或啟用用戶端憑證,您的App Service 方案必須使用基本標準進階隔離層。To create custom security bindings or enable client certificates for your App Service app, your App Service plan must be in the Basic, Standard, Premium, or Isolated tier. 在此步驟中,您要確定 Web 應用程式在支援的定價層。In this step, you make sure that your web app is in the supported pricing tier.

登入 AzureSign in to Azure

開啟 Azure 入口網站Open the Azure portal.

搜尋並選取 [應用程式服務] 。Search for and select App Services.

選取 [應用程式服務]

在 [應用程式服務] 頁面上,選取您的 Web 應用程式名稱。On the App Services page, select the name of your web app.

入口網站瀏覽至 Azure 應用程式

您已經位於 Web 應用程式的管理頁面上。You have landed on the management page of your web app.

檢查定價層Check the pricing tier

在 Web 應用程式頁面的左側導覽中,捲動到 [設定] 區段,然後選取 [擴大 (App Service 方案)] 。In the left-hand navigation of your web app page, scroll to the Settings section and select Scale up (App Service plan).

相應增加功能表

請檢查以確定您的 Web 應用程式不在 F1D1 層中。Check to make sure that your web app is not in the F1 or D1 tier. 系統會以深藍色方塊醒目顯示 Web 應用程式目前的層。Your web app's current tier is highlighted by a dark blue box.

檢查定價層

F1D1 層中不支援自訂 SSL。Custom SSL is not supported in the F1 or D1 tier. 如果您需要擴大,請遵循下一節中的步驟來進行。If you need to scale up, follow the steps in the next section. 否則,請關閉 [擴大] 頁面,並略過擴大 App Service 方案一節。Otherwise, close the Scale up page and skip the Scale up your App Service plan section.

擴大您的 App Service 方案Scale up your App Service plan

選取任何非免費層 (B1B2 B3或「生產」類別中的任何一層)。 Select any of the non-free tiers (B1, B2, B3, or any tier in the Production category). 如需其他選項,請按一下 [查看其他選項] 。For additional options, click See additional options.

按一下 [套用] 。Click Apply.

選擇定價層

當您看見下列通知時,表示擴充作業已完成。When you see the following notification, the scale operation is complete.

擴大通知

建立免費憑證 (預覽)Create a free certificate (Preview)

免費 App Service 受控憑證是現成的解決方案,可在 App Service 中保護您的自訂 DNS 名稱。The free App Service Managed Certificate is a turn-key solution for securing your custom DNS name in App Service. 它是一個功能完整的 TLS/SSL 憑證,由 App Service 管理且會自動更新。It's a fully functional TLS/SSL certificate that's managed by App Service and renewed automatically. 此免費憑證有下列限制:The free certificate comes with the following limitations:

  • 不支援萬用字元憑證。Does not support wildcard certificates.
  • 不支援裸網域。Does not support naked domains.
  • 不可匯出。Is not exportable.
  • 在 App Service 環境 (ASE) 上不支援Is not supported on App Service Environment (ASE)
  • 不支援 A 記錄。Does not support A records. 例如,自動續約不適用於 A 記錄。For example, automatic renewal doesn't work with A records.

注意

免費憑證由 DigiCert 所發行。The free certificate is issued by DigiCert. 針對某些最上層網域,您必須使用下列值建立 CAA 網域記錄,以明確允許 DigiCert 作為憑證簽發者:0 issue digicert.comFor some top-level domains, you must explicitly allow DigiCert as a certificate issuer by creating a CAA domain record with the value: 0 issue digicert.com.

若要建立免費的 App Service 受控憑證:To create a free App Service Managed Certificate:

Azure 入口網站的左側功能表中,選取 [應用程式服務] > <app-name>。In the Azure portal, from the left menu, select App Services > <app-name>.

從應用程式的左側導覽中,選取 [TLS/SSL 設定] > [私密金鑰憑證 (.pfx)] > [匯入 App Service 受控憑證]。From the left navigation of your app, select TLS/SSL settings > Private Key Certificates (.pfx) > Create App Service Managed Certificate.

在 App Service 中建立免費憑證

任何透過 CNAME 記錄正確對應至您應用程式的非裸網域,都會列在對話方塊中。Any non-naked domain that's properly mapped to your app with a CNAME record is listed in the dialog. 選取要為其建立免費憑證的自訂網域,然後選取 [建立]。Select the custom domain to create a free certificate for and select Create. 您只能為每個支援的自訂網域建立一個憑證。You can create only one certificate for each supported custom domain.

當作業完成時,您會在 [私密金鑰憑證] 清單中看到憑證。When the operation completes, you see the certificate in the Private Key Certificates list.

免費憑證建立完成

重要

若要使用此憑證保護自訂網域,您仍然需要建立憑證繫結。To secure a custom domain with this certificate, you still need to create a certificate binding. 請依照建立繫結中的步驟。Follow the steps in Create binding.

匯入 App Service 憑證Import an App Service Certificate

如果您從 Azure 購買 App Service 憑證,Azure 會管理下列工作:If you purchase an App Service Certificate from Azure, Azure manages the following tasks:

  • 處理向 GoDaddy 的購買流程。Takes care of the purchase process from GoDaddy.
  • 執行憑證的網域驗證。Performs domain verification of the certificate.
  • 維護 Azure Key Vault 中的憑證。Maintains the certificate in Azure Key Vault.
  • 管理憑證更新 (請參閱更新憑證)。Manages certificate renewal (see Renew certificate).
  • 自動將憑證與 App Service 應用程式中匯入的複本同步化。Synchronize the certificate automatically with the imported copies in App Service apps.

若要購買 App Service 憑證,請前往開始訂購憑證To purchase an App Service certificate, go to Start certificate order.

如果您已經有使用中的 App Service 憑證,您可以:If you already have a working App Service certificate, you can:

開始訂購憑證Start certificate order

App Service 憑證建立頁面中開始訂購 App Service 憑證。Start an App Service certificate order in the App Service Certificate create page.

開始購買 App Service 憑證

使用下表來協助您設定憑證。Use the following table to help you configure the certificate. 完成後,按一下 [建立]。When finished, click Create.

設定Setting 說明Description
名稱Name App Service 憑證的易記名稱。A friendly name for your App Service certificate.
裸網域主機名稱Naked Domain Host Name 在此處指定根網域。Specify the root domain here. 根網域和 www 子網域受到發行憑證的保護。The issued certificate secures both the root domain and the www subdomain. 在發行的憑證中,[一般名稱] 欄位包含根網域,[主體別名] 欄位則包含 www 網域。In the issued certificate, the Common Name field contains the root domain, and the Subject Alternative Name field contains the www domain. 若只要保護所有子網域,請在這裡指定子網域的完整網域名稱 (例如 mysubdomain.contoso.com)。To secure any subdomain only, specify the fully qualified domain name of the subdomain here (for example, mysubdomain.contoso.com).
訂用帳戶Subscription 會包含憑證的訂用帳戶。The subscription that will contain the certificate.
資源群組Resource group 會包含憑證的資源群組。The resource group that will contain the certificate. 您可以使用新的資源群組,或為您的 App Service 應用程式選取相同的資源群組。You can use a new resource group or select the same resource group as your App Service app, for example.
憑證 SKUCertificate SKU 決定要建立的憑證類型:標準憑證或萬用字元憑證Determines the type of certificate to create, whether a standard certificate or a wildcard certificate.
法律條款Legal Terms 按一下以確認您同意法律條款。Click to confirm that you agree with the legal terms. 憑證是從 GoDaddy 取得的。The certificates are obtained from GoDaddy.

注意

從 Azure 購買的 App Service 憑證是由 GoDaddy 所簽發。App Service Certificates purchased from Azure are issued by GoDaddy. 針對某些最上層網域,您必須使用下列值建立 CAA 網域記錄,以明確允許 GoDaddy 作為憑證簽發者:0 issue godaddy.comFor some top-level domains, you must explicitly allow GoDaddy as a certificate issuer by creating a CAA domain record with the value: 0 issue godaddy.com

儲存在 Azure Key Vault 中Store in Azure Key Vault

憑證購買程序完成後,您必須先完成一些其他的步驟,才能開始使用此憑證。Once the certificate purchase process is complete, there are few more steps you need to complete before you can start using this certificate.

選取 App Service 憑證頁面中的憑證,然後按一下 [憑證設定] > [步驟 1:存放區]。Select the certificate in the App Service Certificates page, then click Certificate Configuration > Step 1: Store.

設定 App Service 憑證的 Key Vault 儲存體

Key Vault 是一項 Azure 服務,可協助保護雲端應用程式和服務所使用的密碼編譯金鑰和祕密。Key Vault is an Azure service that helps safeguard cryptographic keys and secrets used by cloud applications and services. 這是 App Service 憑證的儲存體選擇。It's the storage of choice for App Service certificates.

在 [Key Vault 狀態] 頁面中,按一下 [Key Vault 存放庫] 來建立新的保存庫或選擇現有的保存庫。In the Key Vault Status page, click Key Vault Repository to create a new vault or choose an existing vault. 如果您選擇建立新的保存庫,請使用下表來協助您設定保存庫並按一下 [建立]。If you choose to create a new vault, use the following table to help you configure the vault and click Create. 在與 App Service 應用程式相同的訂用帳戶和資源群組內建立新的 Key Vault。Create the new Key Vault inside the same subscription and resource group as your App Service app.

設定Setting 描述Description
名稱Name 包含英數字元和虛線的唯一名稱。A unique name that consists for alphanumeric characters and dashes.
資源群組Resource group 建議選取相同的資源群組作為您的 App Service 憑證。As a recommendation, select the same resource group as your App Service certificate.
LocationLocation 選取與 App Service 應用程式相同的位置。Select the same location as your App Service app.
定價層Pricing tier 如需詳細資訊,請參閱 Azure Key Vault 定價詳細資料For information, see Azure Key Vault pricing details.
存取原則Access policies 定義應用程式以及允許的保存庫資源存取權。Defines the applications and the allowed access to the vault resources. 您可以稍後設定,並遵循指派 Key Vault 存取原則中的步驟。You can configure it later, following the steps at Assign a Key Vault access policy.
虛擬網路存取Virtual Network Access 限制某些 Azure 虛擬網路的保存庫存取權。Restrict vault access to certain Azure virtual networks. 您可以稍後設定它,並遵循設定 Azure Key Vault 防火牆和虛擬網路中的步驟。You can configure it later, following the steps at Configure Azure Key Vault Firewalls and Virtual Networks

選取保存庫之後,關閉 [Key Vault 存放庫] 頁面。Once you've selected the vault, close the Key Vault Repository page. [步驟 1:儲存] 選項應該會顯示綠色核取記號來表示已成功。The Step 1: Store option should show a green check mark for success. 讓頁面保持開啟,以供下一個步驟使用。Keep the page open for the next step.

確認網域擁有權Verify domain ownership

從您在上一個步驟中使用的相同 [憑證設定] 頁面,按一下 [步驟 2:驗證]。From the same Certificate Configuration page you used in the last step, click Step 2: Verify.

驗證 App Service 憑證的網域

選取 [App Service 驗證]。Select App Service Verification. 您已經將網域對應至您的 Web 應用程式 (請參閱必要條件),因此它已經過驗證。Since you already mapped the domain to your web app (see Prerequisites), it's already verified. 只要按一下 [驗證] 即可完成此步驟。Just click Verify to finish this step. 按一下 [重新整理] 按鈕,直到「憑證已經過網域驗證」訊息出現為止。Click the Refresh button until the message Certificate is Domain Verified appears.

注意

支援的網域驗證方法有四種:Four types of domain verification methods are supported:

  • App Service - 當網域已經對應至相同訂用帳戶中的 App Service 應用程式時最方便的選項。App Service - The most convenient option when the domain is already mapped to an App Service app in the same subscription. 它使用 App Service 應用程式在實質上已通過網域擁有權驗證的這個優勢。It takes advantage of the fact that the App Service app has already verified the domain ownership.
  • 網域 - 驗證您購自 Azure 的 App Service 網域Domain - Verify an App Service domain that you purchased from Azure. Azure 會自動為您新增驗證 TXT 記錄並完成程序。Azure automatically adds the verification TXT record for you and completes the process.
  • 郵件 - 將電子郵件傳送給網域管理員來驗證網域。Mail - Verify the domain by sending an email to the domain administrator. 當您選取此選項時,系統會提供指示。Instructions are provided when you select the option.
  • 手動 - 使用 HTML 網頁 (僅限標準憑證) 或 DNS TXT 記錄驗證網域。Manual - Verify the domain using either an HTML page (Standard certificate only) or a DNS TXT record. 當您選取此選項時,系統會提供指示。Instructions are provided when you select the option.

將憑證匯入至 App ServiceImport certificate into App Service

Azure 入口網站的左側功能表中,選取 [應用程式服務] > <app-name>。In the Azure portal, from the left menu, select App Services > <app-name>.

從您應用程式的左側導覽中,選取 [TLS/SSL 設定] > [私密金鑰憑證 (.pfx)] > [匯入 App Service 憑證]。From the left navigation of your app, select TLS/SSL settings > Private Key Certificates (.pfx) > Import App Service Certificate.

在 App Service 中匯入 App Service 憑證

選取您剛剛購買的憑證,然後選取 [確定]。Select the certificate that you just purchased and select OK.

當作業完成時,您會在 [私密金鑰憑證] 清單中看到憑證。When the operation completes, you see the certificate in the Private Key Certificates list.

App Service 憑證匯入完成

重要

若要使用此憑證保護自訂網域,您仍然需要建立憑證繫結。To secure a custom domain with this certificate, you still need to create a certificate binding. 請依照建立繫結中的步驟。Follow the steps in Create binding.

從金鑰保存庫匯入憑證Import a certificate from Key Vault

如果您使用 Azure Key Vault 管理憑證,只要 PKCS12 憑證符合需求,便可將該憑證從 Key Vault 匯入到 App Service。If you use Azure Key Vault to manage your certificates, you can import a PKCS12 certificate from Key Vault into App Service as long as it satisfies the requirements.

授權 App Service 從保存庫讀取Authorize App Service to read from the vault

根據預設,App Service 資源提供者無法存取 Key Vault。By default, the App Service resource provider doesn’t have access to the Key Vault. 若要使用 Key Vault 進行憑證部署,您必須授權資源提供者對 KeyVault 的讀取權限In order to use a Key Vault for a certificate deployment, you need to authorize the resource provider read access to the KeyVault.

abfa0a7c-a6b6-4736-8310-5855508787cd 是 App Service 的資源提供者服務主體名稱,而對所有 Azure 訂用帳戶都是相同的。abfa0a7c-a6b6-4736-8310-5855508787cd is the resource provider service principal name for App Service, and it's the same for all Azure subscriptions. 針對 Azure Government 雲端環境,使用 6a02c803-dafd-4136-b4c3-5a6f318b4714,而不是資源提供者服務主體名稱。For Azure Government cloud environment, use 6a02c803-dafd-4136-b4c3-5a6f318b4714 instead as the resource provider service principal name.

將憑證從您的保存庫匯入到您的應用程式Import a certificate from your vault to your app

Azure 入口網站的左側功能表中,選取 [應用程式服務] > <app-name>。In the Azure portal, from the left menu, select App Services > <app-name>.

從您應用程式的左側導覽中,選取 [TLS/SSL 設定] > [私密金鑰憑證 (.pfx)] > [匯入 Key Vault 憑證]。From the left navigation of your app, select TLS/SSL settings > Private Key Certificates (.pfx) > Import Key Vault Certificate.

在 App Service 中匯入 Key Vault 憑證

使用下表來協助您選取憑證。Use the following table to help you select the certificate.

設定Setting 描述Description
訂用帳戶Subscription Key Vault 所屬的訂用帳戶。The subscription that the Key Vault belongs to.
Key VaultKey Vault 具有所要匯入憑證的保存庫。The vault with the certificate you want to import.
憑證Certificate 從保存庫內的 PKCS12 憑證清單中選取。Select from the list of PKCS12 certificates in the vault. 保存庫中所有的 PKCS12 憑證會連同其指紋一併列出,但在 App Service 中並非皆受到支援。All PKCS12 certificates in the vault are listed with their thumbprints, but not all are supported in App Service.

當作業完成時,您會在 [私密金鑰憑證] 清單中看到憑證。When the operation completes, you see the certificate in the Private Key Certificates list. 如果匯入失敗並發生錯誤,則表示憑證不符合 App Service 的需求If the import fails with an error, the certificate doesn't meet the requirements for App Service.

Key Vault 憑證匯入完成

注意

如果您以新憑證更新 Key Vault 中的憑證,App Service 會在 48 小時內自動同步處理您的憑證。If you update your certificate in Key Vault with a new certificate, App Service automatically syncs your certificate within 48 hours.

重要

若要使用此憑證保護自訂網域,您仍然需要建立憑證繫結。To secure a custom domain with this certificate, you still need to create a certificate binding. 請依照建立繫結中的步驟。Follow the steps in Create binding.

上傳私人憑證Upload a private certificate

從憑證提供者取得憑證後,請遵循本節中的步驟,讓憑證可用於 App Service。Once you obtain a certificate from your certificate provider, follow the steps in this section to make it ready for App Service.

合併中繼憑證Merge intermediate certificates

如果憑證授權單位在憑證鏈結中提供多個憑證,您需要依序合併憑證。If your certificate authority gives you multiple certificates in the certificate chain, you need to merge the certificates in order.

若要這樣做,請在文字編輯器中開啟您收到的每個憑證。To do this, open each certificate you received in a text editor.

為合併的憑證建立一個檔案,並取名為 mergedcertificate.crtCreate a file for the merged certificate, called mergedcertificate.crt. 在文字編輯器中,將每個憑證的內容複製到這個檔案中。In a text editor, copy the content of each certificate into this file. 憑證的順序應該遵循在憑證鏈結中的順序,開頭為您的憑證,以及結尾為根憑證。The order of your certificates should follow the order in the certificate chain, beginning with your certificate and ending with the root certificate. 看起來會像下列範例:It looks like the following example:

-----BEGIN CERTIFICATE-----
<your entire Base64 encoded SSL certificate>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded intermediate certificate 1>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded intermediate certificate 2>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded root certificate>
-----END CERTIFICATE-----

將憑證匯出為 PFXExport certificate to PFX

使用與憑證要求共同產生的私密金鑰,將您合併的 TLS/SSL 憑證匯出。Export your merged TLS/SSL certificate with the private key that your certificate request was generated with.

如果您是使用 OpenSSL 產生憑證要求,則已建立私密金鑰檔案。If you generated your certificate request using OpenSSL, then you have created a private key file. 若要將您的憑證匯出為 PFX,請執行下列命令。To export your certificate to PFX, run the following command. 將預留位置 <private-key-file><merged-certificate-file> 以您的私密金鑰與合併的憑證檔案的路徑取代。Replace the placeholders <private-key-file> and <merged-certificate-file> with the paths to your private key and your merged certificate file.

openssl pkcs12 -export -out myserver.pfx -inkey <private-key-file> -in <merged-certificate-file>  

請在出現提示時定義一個匯出密碼。When prompted, define an export password. 您之後將 TLS/SSL 憑證上傳至 App Service 時,將會用到這組密碼。You'll use this password when uploading your TLS/SSL certificate to App Service later.

如果您使用 IIS 或 Certreq.exe 產生憑證要求,請將憑證安裝至本機電腦,然後將憑證匯出為 PFXIf you used IIS or Certreq.exe to generate your certificate request, install the certificate to your local machine, and then export the certificate to PFX.

上傳憑證至 App ServiceUpload certificate to App Service

您現在已準備好將憑證上傳至 App Service。You're now ready upload the certificate to App Service.

Azure 入口網站的左側功能表中,選取 [應用程式服務] > <app-name>。In the Azure portal, from the left menu, select App Services > <app-name>.

從您應用程式的左側導覽中,選取 [TLS/SSL 設定] > [私密金鑰憑證 (.pfx)] > [上傳憑證]。From the left navigation of your app, select TLS/SSL settings > Private Key Certificates (.pfx) > Upload Certificate.

在 App Service 中上傳私人憑證

在 [PFX 憑證檔案] 中,選取您的 PFX 檔案。In PFX Certificate File, select your PFX file. 在 [憑證密碼] 中,輸入您將 PFX 檔案匯出時所建立的密碼。In Certificate password, type the password that you created when you exported the PFX file. 完成後,請按一下 [上傳]。When finished, click Upload.

當作業完成時,您會在 [私密金鑰憑證] 清單中看到憑證。When the operation completes, you see the certificate in the Private Key Certificates list.

憑證上傳完成

重要

若要使用此憑證保護自訂網域,您仍然需要建立憑證繫結。To secure a custom domain with this certificate, you still need to create a certificate binding. 請依照建立繫結中的步驟。Follow the steps in Create binding.

上傳公開憑證Upload a public certificate

公開憑證支援 .cer 格式。Public certificates are supported in the .cer format.

Azure 入口網站的左側功能表中,選取 [應用程式服務] > <app-name>。In the Azure portal, from the left menu, select App Services > <app-name>.

從您應用程式的左側導覽中,按一下 [TLS/SSL 設定] > [私密金鑰憑證 (.pfx)] > [上傳公開金鑰憑證]。From the left navigation of your app, click TLS/SSL settings > Public Certificates (.cer) > Upload Public Key Certificate.

在 [名稱] 中,輸入憑證的名稱。In Name, type a name for the certificate. 在 [CER 憑證檔案] 中,選取您的 CER 檔案。In CER Certificate file, select your CER file.

按一下 [上傳] 。Click Upload.

在 App Service 中上傳公開憑證

憑證一旦上傳後,請複製憑證指紋,並請參閱讓憑證可供存取Once the certificate is uploaded, copy the certificate thumbprint and see Make the certificate accessible.

管理 App Service 憑證Manage App Service certificates

本節說明如何管理您在 匯入 App Service 憑證中購買的 App Service 憑證。This section shows you how to manage an App Service certificate you purchased in Import an App Service certificate.

重設憑證的金鑰Rekey certificate

如果您認為您憑證的私密金鑰遭到入侵,您可以重設憑證的金鑰。If you think your certificate's private key is compromised, you can rekey your certificate. 選取 App Service 憑證頁面中的憑證,然後從左側導覽中選取 [重設金鑰和同步處理]。Select the certificate in the App Service Certificates page, then select Rekey and Sync from the left navigation.

按一下 [重設金鑰] 來啟動處理程序。Click Rekey to start the process. 此程序需要 1 - 10 分鐘才能完成。This process can take 1-10 minutes to complete.

重設 App Service 憑證的金鑰

重設憑證的金鑰,會以憑證授權單位發行的新憑證變更憑證。Rekeying your certificate rolls the certificate with a new certificate issued from the certificate authority.

重設金鑰作業完成後,請按一下 [同步]。同步作業會自動更新 App Service 中憑證的主機名稱繫結,而不會對您的應用程式造成任何停機。Once the rekey operation is complete, click Sync. The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

注意

如果您未按一下 [同步],則 App Service 會在 48 小時內自動同步處理您的憑證。If you don't click Sync, App Service automatically syncs your certificate within 48 hours.

更新憑證Renew certificate

若要隨時開啟憑證的自動更新,請選取 App Service 憑證頁面中的憑證,然後按一下左側導覽中的 [自動更新設定]。To turn on automatic renewal of your certificate at any time, select the certificate in the App Service Certificates page, then click Auto Renew Settings in the left navigation. 根據預設,App Service 憑證的有效期間為一年。By default, App Service Certificates have a one-year validity period.

選取 [開啟],然後按一下 [儲存]。Select On and click Save. 如果您已經開啟自動更新,憑證可以在過期前的 60 天開始自動更新。Certificates can start automatically renewing 60 days before expiration if you have automatic renewal turned on.

自動更新 App Service 憑證

若要改為手動更新憑證,請按一下 [手動更新]。To manually renew the certificate instead, click Manual Renew. 您可以在過期前的 60 天要求手動更新憑證。You can request to manually renew your certificate 60 days before expiration.

更新作業完成後,請按一下 [同步]。同步作業會自動更新 App Service 中憑證的主機名稱繫結,而不會對您的應用程式造成任何停機。Once the renew operation is complete, click Sync. The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

注意

如果您未按一下 [同步],則 App Service 會在 48 小時內自動同步處理您的憑證。If you don't click Sync, App Service automatically syncs your certificate within 48 hours.

匯出憑證Export certificate

由於 App Service 憑證是 Key Vault 秘密,因此您可以匯出其 PFX 複本,並將它用於其他 Azure 服務或 Azure 外部。Because an App Service Certificate is a Key Vault secret, you can export a PFX copy of it and use it for other Azure services or outside of Azure.

若要將 App Service 憑證匯出為 PFX 檔案,請在 Cloud Shell 中執行下列命令。To export the App Service Certificate as a PFX file, run the following commands in the Cloud Shell. 如果您已安裝 Azure CLI,則也可以在本機執行。You can also run it locally if you installed Azure CLI. 以您在建立 App Service 憑證時使用的名稱取代預留位置。Replace the placeholders with the names you used when you created the App Service certificate.

secretname=$(az resource show \
    --resource-group <group-name> \
    --resource-type "Microsoft.CertificateRegistration/certificateOrders" \
    --name <app-service-cert-name> \
    --query "properties.certificates.<app-service-cert-name>.keyVaultSecretName" \
    --output tsv)

az keyvault secret download \
    --file appservicecertificate.pfx \
    --vault-name <key-vault-name> \
    --name $secretname \
    --encoding base64

下載的 appservicecertificate.pfx 檔案是原始的 PKCS12 檔案,其中同時包含公開憑證和私人憑證。The downloaded appservicecertificate.pfx file is a raw PKCS12 file that contains both the public and private certificates. 每當系統提示您時,匯入密碼和 PEM 複雜密碼都使用空字串。In each prompt, use an empty string for the import password and the PEM pass phrase.

Delete certificateDelete certificate

刪除 App Service 憑證是不可更改且無法復原的。Deletion of an App Service certificate is final and irreversible. 刪除 App Service 憑證資源會導致憑證遭到撤銷。Deletion of a App Service Certificate resource results in the certificate being revoked. App Service 中任何與此憑證的繫結都會變成無效。Any binding in App Service with this certificate becomes invalid. 為了防止意外刪除,Azure 會鎖定憑證。To prevent accidental deletion, Azure puts a lock on the certificate. 若要刪除 App Service 憑證,您必須先移除憑證的刪除鎖定。To delete an App Service certificate, you must first remove the delete lock on the certificate.

選取 App Service 憑證頁面中的憑證,然後在左側導覽中選取 [鎖定]。Select the certificate in the App Service Certificates page, then select Locks in the left navigation.

在您的憑證上尋找鎖定類型為 [刪除] 的鎖定。Find the lock on your certificate with the lock type Delete. 選取其右側的 [刪除]。To the right of it, select Delete.

App Service 憑證的刪除鎖定

現在您可以刪除 App Service 憑證。Now you can delete the App Service certificate. 從左側導覽中,選取 [總覽] > [刪除]。From the left navigation, select Overview > Delete. 在確認對話方塊中,輸入憑證名稱,然後選取 [確定]。In the confirmation dialog, type the certificate name and select OK.

使用指令碼進行自動化Automate with scripts

Azure CLIAzure CLI

#!/bin/bash

fqdn=<replace-with-www.{yourdomain}>
pfxPath=<replace-with-path-to-your-.PFX-file>
pfxPassword=<replace-with-your=.PFX-password>
resourceGroup=myResourceGroup
webappname=mywebapp$RANDOM

# Create a resource group.
az group create --location westeurope --name $resourceGroup

# Create an App Service plan in Basic tier (minimum required by custom domains).
az appservice plan create --name $webappname --resource-group $resourceGroup --sku B1

# Create a web app.
az webapp create --name $webappname --resource-group $resourceGroup \
--plan $webappname

echo "Configure a CNAME record that maps $fqdn to $webappname.azurewebsites.net"
read -p "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Map your prepared custom domain name to the web app.
az webapp config hostname add --webapp-name $webappname --resource-group $resourceGroup \
--hostname $fqdn

# Upload the SSL certificate and get the thumbprint.
thumbprint=$(az webapp config ssl upload --certificate-file $pfxPath \
--certificate-password $pfxPassword --name $webappname --resource-group $resourceGroup \
--query thumbprint --output tsv)

# Binds the uploaded SSL certificate to the web app.
az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI \
--name $webappname --resource-group $resourceGroup

echo "You can now browse to https://$fqdn"

PowerShellPowerShell

$fqdn="<Replace with your custom domain name>"
$pfxPath="<Replace with path to your .PFX file>"
$pfxPassword="<Replace with your .PFX password>"
$webappname="mywebapp$(Get-Random)"
$location="West Europe"

# Create a resource group.
New-AzResourceGroup -Name $webappname -Location $location

# Create an App Service plan in Free tier.
New-AzAppServicePlan -Name $webappname -Location $location `
-ResourceGroupName $webappname -Tier Free

# Create a web app.
New-AzWebApp -Name $webappname -Location $location -AppServicePlan $webappname `
-ResourceGroupName $webappname

Write-Host "Configure a CNAME record that maps $fqdn to $webappname.azurewebsites.net"
Read-Host "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Upgrade App Service plan to Basic tier (minimum required by custom SSL certificates)
Set-AzAppServicePlan -Name $webappname -ResourceGroupName $webappname `
-Tier Basic

# Add a custom domain name to the web app. 
Set-AzWebApp -Name $webappname -ResourceGroupName $webappname `
-HostNames @($fqdn,"$webappname.azurewebsites.net")

# Upload and bind the SSL certificate to the web app.
New-AzWebAppSSLBinding -WebAppName $webappname -ResourceGroupName $webappname -Name $fqdn `
-CertificateFilePath $pfxPath -CertificatePassword $pfxPassword -SslState SniEnabled

其他資源More resources