購買及設定 Azure App Service 的 SSL 憑證Buy and configure an SSL certificate for Azure App Service

本教學課程說明如何透過在 Azure Key Vault 中建立 (購買) App Service 憑證,然後將它繫結至 App Service 應用程式,來保護您的 App Service 應用程式函數應用程式This tutorial shows you how to secure your App Service app or function app by creating (purchasing) an App Service certificate in Azure Key Vault and then bind it to an App Service app.

提示

App Service 憑證可以用於任何 Azure 或非 Azure 服務,並不限於應用程式服務。App Service Certificates can be used for any Azure or non-Azure Services and is not limited to App Services. 若要如此,您需要建立一個可在任何地方使用的 App Service 憑證本機 PFX 複本。To do so, you need to create a local PFX copy of an App Service certificate that you can use it anywhere you want. 如需詳細資訊,請參閱建立 App Service 憑證的本機 PFX 複本For more information, see Creating a local PFX copy of an App Service Certificate.

先決條件Prerequisites

若要遵循本操作說明指南:To follow this how-to guide:

準備您的 Web 應用程式Prepare your web app

若要將自訂 SSL 憑證 (第三方憑證或 App Service 憑證) 繫結至 Web 應用程式,App Service 方案必須為基本標準進階隔離層。To bind a custom SSL certificate (a third-party certificate or App Service certificate) to your web app, your App Service plan must be in the Basic, Standard, Premium, or Isolated tier. 在此步驟中,您要確定 Web 應用程式在支援的定價層。In this step, you make sure that your web app is in the supported pricing tier.

登入 AzureLog in to Azure

開啟 Azure 入口網站Open the Azure portal.

按一下左側功能表中的 [應用程式服務] ,然後按一下 Web 應用程式的名稱。From the left menu, click App Services, and then click the name of your web app.

選取 Web 應用程式

您已經位於 Web 應用程式的管理頁面。You have landed in the management page of your web app.

檢查定價層Check the pricing tier

在 Web 應用程式頁面的左側導覽中,捲動到 [設定] 區段,然後選取 [相應增加 (App Service 方案)] 。In the left-hand navigation of your web app page, scroll to the Settings section and select Scale up (App Service plan).

相應增加功能表

請檢查以確定您的 Web 應用程式不在 F1D1 層中。Check to make sure that your web app is not in the F1 or D1 tier. 系統會以深藍色方塊醒目顯示 Web 應用程式目前的層。Your web app's current tier is highlighted by a dark blue box.

檢查定價層

F1D1 層中不支援自訂 SSL。Custom SSL is not supported in the F1 or D1 tier. 如果您需要相應增加,請遵循下一節中的步驟來進行。If you need to scale up, follow the steps in the next section. 否則,請關閉 [相應增加] 頁面,並略過相應增加 App Service 方案一節。Otherwise, close the Scale up page and skip the Scale up your App Service plan section.

相應增加您的 App Service 方案Scale up your App Service plan

選取任何非免費層 (B1B2 B3或「生產」類別中的任何一層)。 Select any of the non-free tiers (B1, B2, B3, or any tier in the Production category). 如需其他選項,請按一下 [查看其他選項] 。For additional options, click See additional options.

按一下 [套用] 。Click Apply.

選擇定價層

當您看見下列通知時,表示擴充作業已完成。When you see the following notification, the scale operation is complete.

相應增加通知

開始訂購憑證Start certificate order

App Service 憑證建立頁面中開始訂購 App Service 憑證。Start an App Service certificate order in the App Service Certificate create page.

建立憑證

使用下表來協助您設定憑證。Use the following table to help you configure the certificate. 完成後,按一下 [建立]。When finished, click Create.

設定Setting 描述Description
名稱Name App Service 憑證的易記名稱。A friendly name for your App Service certificate.
裸網域主機名稱Naked Domain Host Name 在此指定根域。Specify the root domain here. 發行的憑證會保護根域和www子域。The issued certificate secures both the root domain and the www subdomain. 在發行的憑證中, [一般名稱] 欄位包含根域, [主體別名] 欄位則包含www網域。In the issued certificate, the Common Name field contains the root domain, and the Subject Alternative Name field contains the www domain. 若只要保護所有子網域,請在這裡指定子網域的完整網域名稱 (例如 mysubdomain.contoso.com)。To secure any subdomain only, specify the fully qualified domain name of the subdomain here (for example, mysubdomain.contoso.com).
訂閱Subscription 裝載 Web 應用程式的資料中心。The datacenter where the web app is hosted.
資源群組Resource group 包含憑證的資源群組。The resource group that contains the certificate. 您可以使用新的資源群組,或為您的 App Service 應用程式選取相同的資源群組。You can use a new resource group or select the same resource group as your App Service app, for example.
憑證 SKUCertificate SKU 決定要建立的憑證類型:標準憑證或萬用字元憑證Determines the type of certificate to create, whether a standard certificate or a wildcard certificate.
法律條款Legal Terms 按一下以確認您同意法律條款。Click to confirm that you agree with the legal terms. 憑證是從 GoDaddy 取得。The certificates are obtained from GoDaddy.

儲存在 Azure Key Vault 中Store in Azure Key Vault

憑證購買程序完成後,您必須先完成一些其他的步驟,才能開始使用此憑證。Once the certificate purchase process is complete, there are few more steps you need to complete before you can start using this certificate.

選取 App Service 憑證頁面中的憑證,然後按一下 [憑證設定] > [步驟 1:存放區]。Select the certificate in the App Service Certificates page, then click Certificate Configuration > Step 1: Store.

插入準備在 KV 中儲存的影像

Key Vault 是一項 Azure 服務,可協助保護雲端應用程式和服務所使用的密碼編譯金鑰和祕密。Key Vault is an Azure service that helps safeguard cryptographic keys and secrets used by cloud applications and services. 這是 App Service 憑證的儲存體選擇。It's the storage of choice for App Service certificates.

在 [Key Vault 狀態] 頁面中,按一下 [Key Vault 存放庫] 來建立新的保存庫或選擇現有的保存庫。In the Key Vault Status page, click Key Vault Repository to create a new vault or choose an existing vault. 如果您選擇建立新的保存庫,請使用下表來協助您設定保存庫並按一下 [建立]。If you choose to create a new vault, use the following table to help you configure the vault and click Create. 了解如何在相同訂用帳戶和資源群組中建立新的 Key Vault。see to create new Key Vault inside same subscription and resource group.

設定Setting 描述Description
名稱Name 包含英數字元和虛線的唯一名稱。A unique name that consists for alphanumeric characters and dashes.
資源群組Resource group 建議選取相同的資源群組作為您的 App Service 憑證。As a recommendation, select the same resource group as your App Service certificate.
LocationLocation 選取與 App Service 應用程式相同的位置。Select the same location as your App Service app.
定價層Pricing tier 如需詳細資訊,請參閱 Azure Key Vault 定價詳細資料For information, see Azure Key Vault pricing details.
存取原則Access policies 定義應用程式以及允許的保存庫資源存取權。Defines the applications and the allowed access to the vault resources. 您可以稍後設定它,並遵循將金鑰保存庫的存取權授與數個應用程式中的步驟。You can configure it later, following the steps at Grant several applications access to a key vault.
虛擬網路存取Virtual Network Access 限制某些 Azure 虛擬網路的保存庫存取權。Restrict vault access to certain Azure virtual networks. 您可以稍後設定它,並遵循設定 Azure Key Vault 防火牆和虛擬網路中的步驟。You can configure it later, following the steps at Configure Azure Key Vault Firewalls and Virtual Networks

選取保存庫之後,關閉 [Key Vault 存放庫] 頁面。Once you've selected the vault, close the Key Vault Repository page. [存放區] 選項應顯示綠色核取記號,表示成功。The Store option should show a green check mark for success. 讓頁面保持開啟,以供下一個步驟使用。Keep the page open for the next step.

驗證網域擁有權Verify domain ownership

從您在上一個步驟中使用的相同 [憑證設定] 頁面,按一下 [步驟 2:驗證]。From the same Certificate Configuration page you used in the last step, click Step 2: Verify.

選取 [App Service 驗證]。Select App Service Verification. 您已經將網域對應至您的 Web 應用程式 (請參閱必要條件),因此它已經過驗證。Since you already mapped the domain to your web app (see Prerequisites), it's already verified. 只要按一下 [確認] 即可完成此步驟。Just click Verify to finish this step. 按一下 [重新整理] 按鈕,直到「憑證已經過網域驗證」訊息出現為止。Click the Refresh button until the message Certificate is Domain Verified appears.

注意

支援的網域驗證方法有四種:Four types of domain verification methods are supported:

  • App Service - 當網域已經對應至相同訂用帳戶中的 App Service 應用程式時最方便的選項。App Service - The most convenient option when the domain is already mapped to an App Service app in the same subscription. 它會利用 App Service 應用程式已驗證網域擁有權的這個事實。It takes advantage of the fact that the App Service app has already verified the domain ownership.
  • 網域 - 驗證您購自 Azure 的 App Service 網域Domain - Verify an App Service domain that you purchased from Azure. Azure 會自動為您新增驗證 TXT 記錄並完成程序。Azure automatically adds the verification TXT record for you and completes the process.
  • 郵件 - 將電子郵件傳送給網域管理員來驗證網域。Mail - Verify the domain by sending an email to the domain administrator. 當您選取此選項時,系統會提供指示。Instructions are provided when you select the option.
  • 手動 - 使用 HTML 網頁 (僅限標準憑證) 或 DNS TXT 記錄驗證網域。Manual - Verify the domain using either an HTML page (Standard certificate only) or a DNS TXT record. 當您選取此選項時,系統會提供指示。Instructions are provided when you select the option.

將憑證繫結至應用程式Bind certificate to app

Azure 入口網站 的左側功能表中,選取 [應用程式服務] > <your_ app>In the Azure portal, from the left menu, select App Services > <your_ app>.

從您應用程式的左側導覽中,選取 [SSL 設定] > [私人憑證 (.pfx)] > [匯入 App Service 憑證]。From the left navigation of your app, select SSL settings > Private Certificates (.pfx) > Import App Service Certificate.

插入匯入憑證的影像

選取您剛才購買的憑證。Select the certificate that you just purchased.

現在憑證已匯入,您需要將它繫結至您應用程式中對應的網域名稱。Now that the certificate is imported, you need to bind it to a mapped domain name in your app. 選取 [繫結] > [新增 SSL 繫結]。Select Bindings > Add SSL Binding.

插入匯入憑證的影像

使用下表來協助您在 [SSL 繫結] 對話方塊中設定繫結,然後按一下 [新增繫結]。Use the following table to help you configure the binding in the SSL Bindings dialog, then click Add Binding.

設定Setting 描述Description
主機名稱Hostname 要新增 SSL 繫結的網域名稱。The domain name to add SSL binding for.
私人憑證指紋Private Certificate Thumbprint 要繫結的憑證。The certificate to bind.
SSL 類型SSL Type
  • SNI SSL - 可能會新增多個以 SNI 為基礎的 SSL 繫結。SNI SSL - Multiple SNI-based SSL bindings may be added. 此選項可允許多個 SSL 憑證保護同一個 IP 位址上的多個網域。This option allows multiple SSL certificates to secure multiple domains on the same IP address. 大多數現代化的瀏覽器 (包括 Internet Explorer、Chrome、Firefox 和 Opera) 都支援 SNI (可在伺服器名稱指示找到更完整的瀏覽器支援資訊)。Most modern browsers (including Internet Explorer, Chrome, Firefox, and Opera) support SNI (find more comprehensive browser support information at Server Name Indication).
  • 以 IP 為基礎的 SSL:可能只會新增一個以 IP 為基礎的 SSL 繫結。IP-based SSL - Only one IP-based SSL binding may be added. 此選項只允許一個 SSL 憑證保護專用的公用 IP 位址。This option allows only one SSL certificate to secure a dedicated public IP address. 設定繫結之後,請依照為 IP SSL 重新對應 A 記錄中的步驟執行。After you configure the binding, follow the steps in Remap A record for IP SSL.

驗證 HTTPS 存取Verify HTTPS access

使用 HTTPS://<domain_name> 而非 HTTP://<domain_name> 來造訪您的應用程式,確認已正確設定憑證。Visit your app using HTTPS://<domain_name> instead of HTTP://<domain_name> to verify that the certificate has been configured correctly.

重設憑證的金鑰Rekey certificate

如果您認為憑證的私密金鑰遭到入侵, 您可以重設憑證的金鑰。If you think your certificate's private key is compromised, you can rekey your certificate. 在 [ App Service 憑證] 頁面中選取憑證, 然後從左側導覽中選取 [重設金鑰和同步處理]。Select the certificate in the App Service Certificates page, then select Rekey and Sync from the left navigation.

按一下 [重設金鑰] 以啟動進程。Click Rekey to start the process. 此程序需要 1 - 10 分鐘才能完成。This process can take 1-10 minutes to complete.

插入重設 SSL 金鑰的影像

重設憑證的金鑰,會以憑證授權單位發行的新憑證變更憑證。Rekeying your certificate rolls the certificate with a new certificate issued from the certificate authority.

重設金鑰作業完成後, 按一下 [同步處理]。同步作業會自動更新 App Service 中憑證的主機名稱系結, 而不會對您的應用程式造成任何停機時間。Once the rekey operation is complete, click Sync. The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

注意

如果您未按一下 [同步], App Service 會在48小時內自動同步處理您的憑證。If you don't click Sync, App Service automatically syncs your certificate within 48 hours.

更新憑證Renew certificate

若要隨時開啟憑證的自動更新,請選取 App Service 憑證頁面中的憑證,然後按一下左側導覽中的 [自動更新設定]。To turn on automatic renewal of your certificate at any time, select the certificate in the App Service Certificates page, then click Auto Renew Settings in the left navigation.

選取 [開啟],然後按一下 [儲存]。Select On and click Save. 如果您已經開啟自動更新,憑證可以在過期前的 60 天開始自動更新。Certificates can start automatically renewing 60 days before expiration if you have automatic renewal turned on.

自動更新憑證

若要改為手動更新憑證,請按一下 [手動更新]。To manually renew the certificate instead, click Manual Renew. 您可以在過期前的 60 天要求手動更新憑證。You can request to manually renew your certificate 60 days before expiration.

更新作業完成後, 按一下 [同步處理]。同步作業會自動更新 App Service 中憑證的主機名稱系結, 而不會對您的應用程式造成任何停機時間。Once the renew operation is complete, click Sync. The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

注意

如果您未按一下 [同步], App Service 會在48小時內自動同步處理您的憑證。If you don't click Sync, App Service automatically syncs your certificate within 48 hours.

使用指令碼進行自動化Automate with scripts

Azure CLIAzure CLI

#!/bin/bash

fqdn=<replace-with-www.{yourdomain}>
pfxPath=<replace-with-path-to-your-.PFX-file>
pfxPassword=<replace-with-your=.PFX-password>
resourceGroup=myResourceGroup
webappname=mywebapp$RANDOM

# Create a resource group.
az group create --location westeurope --name $resourceGroup

# Create an App Service plan in Basic tier (minimum required by custom domains).
az appservice plan create --name $webappname --resource-group $resourceGroup --sku B1

# Create a web app.
az webapp create --name $webappname --resource-group $resourceGroup \
--plan $webappname

echo "Configure a CNAME record that maps $fqdn to $webappname.azurewebsites.net"
read -p "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Map your prepared custom domain name to the web app.
az webapp config hostname add --webapp-name $webappname --resource-group $resourceGroup \
--hostname $fqdn

# Upload the SSL certificate and get the thumbprint.
thumbprint=$(az webapp config ssl upload --certificate-file $pfxPath \
--certificate-password $pfxPassword --name $webappname --resource-group $resourceGroup \
--query thumbprint --output tsv)

# Binds the uploaded SSL certificate to the web app.
az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI \
--name $webappname --resource-group $resourceGroup

echo "You can now browse to https://$fqdn"

PowerShellPowerShell

$fqdn="<Replace with your custom domain name>"
$pfxPath="<Replace with path to your .PFX file>"
$pfxPassword="<Replace with your .PFX password>"
$webappname="mywebapp$(Get-Random)"
$location="West Europe"

# Create a resource group.
New-AzResourceGroup -Name $webappname -Location $location

# Create an App Service plan in Free tier.
New-AzAppServicePlan -Name $webappname -Location $location `
-ResourceGroupName $webappname -Tier Free

# Create a web app.
New-AzWebApp -Name $webappname -Location $location -AppServicePlan $webappname `
-ResourceGroupName $webappname

Write-Host "Configure a CNAME record that maps $fqdn to $webappname.azurewebsites.net"
Read-Host "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Upgrade App Service plan to Basic tier (minimum required by custom SSL certificates)
Set-AzAppServicePlan -Name $webappname -ResourceGroupName $webappname `
-Tier Basic

# Add a custom domain name to the web app. 
Set-AzWebApp -Name $webappname -ResourceGroupName $webappname `
-HostNames @($fqdn,"$webappname.azurewebsites.net")

# Upload and bind the SSL certificate to the web app.
New-AzWebAppSSLBinding -WebAppName $webappname -ResourceGroupName $webappname -Name $fqdn `
-CertificateFilePath $pfxPath -CertificatePassword $pfxPassword -SslState SniEnabled

其他資源More resources