Azure Openssl

 admin
-->

SSL certificate problem: self signed certificate in certificate chain Hot Network Questions Convince my wife that the flu vaccine is good for our child. Openssl pkcs12 -export -out name-your-azure-certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.pem Here, your privateKey.key is the file that you generated in the first step. Certificate.crt is your crt file that you recieved from Gandi and the CACert.pem is the pem file Gandi gave you. Installing an SSL certificate on Microsoft Azure Web App. An SSL certificate should be activated, validated and installed on the server. In case of Azure you will need to upload it to the Azure portal. The SSL certificate can be downloaded from the Namecheap account or the email; it should be converted into PKCS#12 (PFX) format containing a.

Azure App Service provides a highly scalable, self-patching web hosting service. This article shows you how to create, upload, or import a private certificate or a public certificate into App Service.

Once the certificate is added to your App Service app or function app, you can secure a custom DNS name with it or use it in your application code.

Note

A certificate uploaded into an app is stored in a deployment unit that is bound to the app's resource group and region combination (internally called a webspace). This makes the certificate accessible to other apps in the same resource group and region combination.

The following table lists the options you have for adding certificates in App Service:

OptionDescription
Create a free App Service Managed Certificate (Preview)A private certificate that's free of charge and easy to use if you just need to secure your custom domain in App Service.
Purchase an App Service certificateA private certificate that's managed by Azure. It combines the simplicity of automated certificate management and the flexibility of renewal and export options.
Import a certificate from Key VaultUseful if you use Azure Key Vault to manage your PKCS12 certificates. See Private certificate requirements.
Upload a private certificateIf you already have a private certificate from a third-party provider, you can upload it. See Private certificate requirements.
Upload a public certificatePublic certificates are not used to secure custom domains, but you can load them into your code if you need them to access remote resources.

Prerequisites

  • Create an App Service app.
  • For a private certificate, make sure that it satisfies all requirements from App Service.
  • Free certificate only:
    • Map the domain you want a certificate for to App Service. For information, see Tutorial: Map an existing custom DNS name to Azure App Service.
    • For a root domain (like contoso.com), make sure your app doesn't have any IP restrictions configured. Both certificate creation and its periodic renewal for a root domain depends on your app being reachable from the internet.

Private certificate requirements

The free App Service Managed Certificate and the App Service certificate already satisfy the requirements of App Service. If you choose to upload or import a private certificate to App Service, your certificate must meet the following requirements:

  • Exported as a password-protected PFX file, encrypted using triple DES.
  • Contains private key at least 2048 bits long
  • Contains all intermediate certificates in the certificate chain

To secure a custom domain in a TLS binding, the certificate has additional requirements:

  • Contains an Extended Key Usage for server authentication (OID = 1.3.6.1.5.5.7.3.1)
  • Signed by a trusted certificate authority

Note

Elliptic Curve Cryptography (ECC) certificates can work with App Service but are not covered by this article. Work with your certificate authority on the exact steps to create ECC certificates.

Prepare your web app

To create custom TLS/SSL bindings or enable client certificates for your App Service app, your App Service plan must be in the Basic, Standard, Premium, or Isolated tier. In this step, you make sure that your web app is in the supported pricing tier.

Sign in to Azure

Open the Azure portal.

Navigate to your web app

Search for and select App Services.

On the App Services page, select the name of your web app.

You have landed on the management page of your web app.

Check the pricing tier

In the left-hand navigation of your web app page, scroll to the Settings section and select Scale up (App Service plan).

Check to make sure that your web app is not in the F1 or D1 tier. Your web app's current tier is highlighted by a dark blue box.

Openssl

Custom SSL is not supported in the F1 or D1 tier. If you need to scale up, follow the steps in the next section. Otherwise, close the Scale up page and skip the Scale up your App Service plan section.

Scale up your App Service plan

Select any of the non-free tiers (B1, B2, B3, or any tier in the Production category). For additional options, click See additional options.

Azure

Click Apply.

When you see the following notification, the scale operation is complete.

Create a free managed certificate (Preview)

Note

Before creating a free managed certificate, make sure you have fulfilled the prerequisites for your app.

The free App Service Managed Certificate is a turn-key solution for securing your custom DNS name in App Service. It's a fully functional TLS/SSL certificate that's managed by App Service and renewed automatically. The free certificate comes with the following limitations:

  • Does not support wildcard certificates and should not be used as a client certificate.
  • Is not exportable.
  • Is not supported on App Service Environment (ASE).
  • Is not supported with root domains that are integrated with Traffic Manager.

Note

The free certificate is issued by DigiCert. For some top-level domains, you must explicitly allow DigiCert as a certificate issuer by creating a CAA domain record with the value: 0 issue digicert.com.

In the Azure portal, from the left menu, select App Services > <app-name>.

From the left navigation of your app, select TLS/SSL settings > Private Key Certificates (.pfx) > Create App Service Managed Certificate.

Select the custom domain to create a free certificate for and select Create. You can create only one certificate for each supported custom domain.

When the operation completes, you see the certificate in the Private Key Certificates list.

Important

To secure a custom domain with this certificate, you still need to create a certificate binding. Follow the steps in Create binding.

Import an App Service Certificate

If you purchase an App Service Certificate from Azure, Azure manages the following tasks:

  • Takes care of the purchase process from GoDaddy.
  • Performs domain verification of the certificate.
  • Maintains the certificate in Azure Key Vault.
  • Manages certificate renewal (see Renew certificate).
  • Synchronize the certificate automatically with the imported copies in App Service apps.

To purchase an App Service certificate, go to Start certificate order.

If you already have a working App Service certificate, you can:

  • Import the certificate into App Service.
  • Manage the certificate, such as renew, rekey, and export it.

Note

App Service Certificates are not supported in Azure National Clouds at this time.

Start certificate order

Start an App Service certificate order in the App Service Certificate create page.

Use the following table to help you configure the certificate. When finished, click Create.

SettingDescription
NameA friendly name for your App Service certificate.
Naked Domain Host NameSpecify the root domain here. The issued certificate secures both the root domain and the www subdomain. In the issued certificate, the Common Name field contains the root domain, and the Subject Alternative Name field contains the www domain. To secure any subdomain only, specify the fully qualified domain name of the subdomain here (for example, mysubdomain.contoso.com).
SubscriptionThe subscription that will contain the certificate.
Resource groupThe resource group that will contain the certificate. You can use a new resource group or select the same resource group as your App Service app, for example.
Certificate SKUDetermines the type of certificate to create, whether a standard certificate or a wildcard certificate.
Legal TermsClick to confirm that you agree with the legal terms. The certificates are obtained from GoDaddy.

Note

App Service Certificates purchased from Azure are issued by GoDaddy. For some top-level domains, you must explicitly allow GoDaddy as a certificate issuer by creating a CAA domain record with the value: 0 issue godaddy.com

Store in Azure Key Vault

Once the certificate purchase process is complete, there are few more steps you need to complete before you can start using this certificate.

Select the certificate in the App Service Certificates page, then click Certificate Configuration > Step 1: Store.

Key Vault is an Azure service that helps safeguard cryptographic keys and secrets used by cloud applications and services. It's the storage of choice for App Service certificates.

In the Key Vault Status page, click Key Vault Repository to create a new vault or choose an existing vault. If you choose to create a new vault, use the following table to help you configure the vault and click Create. Create the new Key Vault inside the same subscription and resource group as your App Service app.

SettingDescription
NameA unique name that consists for alphanumeric characters and dashes.
Resource groupAs a recommendation, select the same resource group as your App Service certificate.
LocationSelect the same location as your App Service app.
Pricing tierFor information, see Azure Key Vault pricing details.
Access policiesDefines the applications and the allowed access to the vault resources. You can configure it later, following the steps at Assign a Key Vault access policy.
Virtual Network AccessRestrict vault access to certain Azure virtual networks. You can configure it later, following the steps at Configure Azure Key Vault Firewalls and Virtual Networks

Once you've selected the vault, close the Key Vault Repository page. The Step 1: Store option should show a green check mark for success. Keep the page open for the next step.

Verify domain ownership

From the same Certificate Configuration page you used in the last step, click Step 2: Verify.

Select App Service Verification. Since you already mapped the domain to your web app (see Prerequisites), it's already verified. Just click Verify to finish this step. Click the Refresh button until the message Certificate is Domain Verified appears.

Note

Four types of domain verification methods are supported:

  • App Service - The most convenient option when the domain is already mapped to an App Service app in the same subscription. It takes advantage of the fact that the App Service app has already verified the domain ownership.
  • Domain - Verify an App Service domain that you purchased from Azure. Azure automatically adds the verification TXT record for you and completes the process.
  • Mail - Verify the domain by sending an email to the domain administrator. Instructions are provided when you select the option.
  • Manual - Verify the domain using either an HTML page (Standard certificate only) or a DNS TXT record. Instructions are provided when you select the option.

Import certificate into App Service

In the Azure portal, from the left menu, select App Services > <app-name>.

From the left navigation of your app, select TLS/SSL settings > Private Key Certificates (.pfx) > Import App Service Certificate.

Select the certificate that you just purchased and select OK.

When the operation completes, you see the certificate in the Private Key Certificates list.

Important

To secure a custom domain with this certificate, you still need to create a certificate binding. Follow the steps in Create binding.

Import a certificate from Key Vault

If you use Azure Key Vault to manage your certificates, you can import a PKCS12 certificate from Key Vault into App Service as long as it satisfies the requirements.

Authorize App Service to read from the vault

By default, the App Service resource provider doesn’t have access to the Key Vault. In order to use a Key Vault for a certificate deployment, you need to authorize the resource provider read access to the KeyVault.

abfa0a7c-a6b6-4736-8310-5855508787cd is the resource provider service principal name for App Service, and it's the same for all Azure subscriptions. For Azure Government cloud environment, use 6a02c803-dafd-4136-b4c3-5a6f318b4714 instead as the resource provider service principal name.

Import a certificate from your vault to your app

In the Azure portal, from the left menu, select App Services > <app-name>.

From the left navigation of your app, select TLS/SSL settings > Private Key Certificates (.pfx) > Import Key Vault Certificate.

Use the following table to help you select the certificate.

SettingDescription
SubscriptionThe subscription that the Key Vault belongs to.
Key VaultThe vault with the certificate you want to import.
CertificateSelect from the list of PKCS12 certificates in the vault. All PKCS12 certificates in the vault are listed with their thumbprints, but not all are supported in App Service.

When the operation completes, you see the certificate in the Private Key Certificates list. If the import fails with an error, the certificate doesn't meet the requirements for App Service.

Azure

Note

If you update your certificate in Key Vault with a new certificate, App Service automatically syncs your certificate within 24 hours.

Important

To secure a custom domain with this certificate, you still need to create a certificate binding. Follow the steps in Create binding.

Upload a private certificate

Once you obtain a certificate from your certificate provider, follow the steps in this section to make it ready for App Service.

Merge intermediate certificates

If your certificate authority gives you multiple certificates in the certificate chain, you need to merge the certificates in order.

To do this, open each certificate you received in a text editor.

Create a file for the merged certificate, called mergedcertificate.crt. In a text editor, copy the content of each certificate into this file. The order of your certificates should follow the order in the certificate chain, beginning with your certificate and ending with the root certificate. It looks like the following example:

Export certificate to PFX

Export your merged TLS/SSL certificate with the private key that your certificate request was generated with.

If you generated your certificate request using OpenSSL, then you have created a private key file. To export your certificate to PFX, run the following command. Replace the placeholders <private-key-file> and <merged-certificate-file> with the paths to your private key and your merged certificate file.

When prompted, define an export password. You'll use this password when uploading your TLS/SSL certificate to App Service later.

If you used IIS or Certreq.exe to generate your certificate request, install the certificate to your local machine, and then export the certificate to PFX.

Upload certificate to App Service

You're now ready upload the certificate to App Service.

In the Azure portal, from the left menu, select App Services > <app-name>.

From the left navigation of your app, select TLS/SSL settings > Private Key Certificates (.pfx) > Upload Certificate.

In PFX Certificate File, select your PFX file. In Certificate password, type the password that you created when you exported the PFX file. When finished, click Upload.

When the operation completes, you see the certificate in the Private Key Certificates list.

Important

To secure a custom domain with this certificate, you still need to create a certificate binding. Follow the steps in Create binding.

Upload a public certificate

Public certificates are supported in the .cer format.

In the Azure portal, from the left menu, select App Services > <app-name>.

From the left navigation of your app, click TLS/SSL settings > Public Certificates (.cer) > Upload Public Key Certificate.

In Name, type a name for the certificate. In CER Certificate file, select your CER file.

Click Upload.

Once the certificate is uploaded, copy the certificate thumbprint and see Make the certificate accessible.

Manage App Service certificates

Azure Cli Openssl

This section shows you how to manage an App Service certificate you purchased in Import an App Service certificate.

Rekey certificate

Azure

If you think your certificate's private key is compromised, you can rekey your certificate. Select the certificate in the App Service Certificates page, then select Rekey and Sync from the left navigation.

Click Rekey to start the process. This process can take 1-10 minutes to complete.

Rekeying your certificate rolls the certificate with a new certificate issued from the certificate authority.

Once the rekey operation is complete, click Sync. The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

Note

If you don't click Sync, App Service automatically syncs your certificate within 24 hours.

Renew certificate

To turn on automatic renewal of your certificate at any time, select the certificate in the App Service Certificates page, then click Auto Renew Settings in the left navigation. By default, App Service Certificates have a one-year validity period.

Select On and click Save. Certificates can start automatically renewing 30 days before expiration if you have automatic renewal turned on.

To manually renew the certificate instead, click Manual Renew. You can request to manually renew your certificate 60 days before expiration.

Once the renew operation is complete, click Sync. The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

Note

If you don't click Sync, App Service automatically syncs your certificate within 24 hours.

Export certificate

Because an App Service Certificate is a Key Vault secret, you can export a PFX copy of it and use it for other Azure services or outside of Azure.

To export the App Service Certificate as a PFX file, run the following commands in the Cloud Shell. You can also run it locally if you installed Azure CLI. Replace the placeholders with the names you used when you created the App Service certificate.

The downloaded appservicecertificate.pfx file is a raw PKCS12 file that contains both the public and private certificates. In each prompt, use an empty string for the import password and the PEM pass phrase.

Delete certificate

Deletion of an App Service certificate is final and irreversible. Deletion of a App Service Certificate resource results in the certificate being revoked. Any binding in App Service with this certificate becomes invalid. To prevent accidental deletion, Azure puts a lock on the certificate. To delete an App Service certificate, you must first remove the delete lock on the certificate.

Azure Ssl Pricing

Select the certificate in the App Service Certificates page, then select Locks in the left navigation.

Find the lock on your certificate with the lock type Delete. To the right of it, select Delete.

Now you can delete the App Service certificate. From the left navigation, select Overview > Delete. In the confirmation dialog, type the certificate name and select OK.

Automate with scripts

Azure CLI

PowerShell

More resources

Creating a CSR & Installing Your SSL Certificate Using the DigiCert® Certificate Utility for Windows

These instructions assume that you already own your Windows Azure website, and that you have configured the domain name for your website. For more information, visit Microsoft’s Windows Azure page, or contact Microsoft.

If you are looking for Windows Azure cloud services instructions, see Windows Azure Cloud Services: Create CSR & Install SSL Certificate.

Use the instructions on this page to create your certificate signing request (CSR) and then to install your SSL Certificate.

For a simpler way to create your CSRs (Certificate Signing Requests) and install and manage your SSL Certificates, we recommend that you use the DigiCert® Certificate Utility for Windows. For more information about our utility, see DigiCert® Certificate Utility for Windows.

  1. To create your certificate signing request (CSR), see Windows Azure Website: Creating Your CSR with the DigiCert Utility.

  2. To install your SSL Certificate, see Windows Azure Website: Using the DigiCert Utility & Windows Azure to Install Your SSL Certificate.

1. Window Azure Website: Creating Your CSR with the DigiCert Utility

The DigiCert® Certificate Utility for Windows streamlines the CSR creation process. Because, the utility lets you generate the CSR with one click.

Windows Azure Website: How to Create Your CSR with the DigiCert Utility

  1. On your Windows server, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe).

  2. Run the DigiCert® Certificate Utility for Windows.

    Double-click DigiCertUtil.

  3. In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), and then, click Create CSR.

  4. On the Create CSR page, enter the following information:

    Certificate Type:Select SSL.
    Common Name:Enter the fully qualified domain name (FQDN) (i.e. www.example.com).
    You may also enter the IP address.
    Subject Alternative Names:If you are requesting a Multi-Domain (SAN) Certificate, type any SANs that you want to include.
    (i.e. www.example.com, www.example2.com, and www.example3.net)
    Organization:Type your company’s legally registered name (i.e. YourCompany, Inc.).
    Department:(Optional) Enter the department within your organization that you want to appear on the SSL Certificate.
    City:Type the city where your company is legally located.
    State:In the drop-down list, select the state where your company is legally located.
    If your company is located outside the USA, you can type the applicable name in the box.
    Country:In the drop-down list, select the country where your company is legally located.
    Key Size:In the drop-down list, select 2048.
    Provider:In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider,
    unless you have a specific cryptographic provider.
  5. Click Generate.

  6. On The certificate request has been successfully created page, do one of the following, and then, click Close:

    Click Copy CSR.Copies the certificate contents to the clipboard.
    If you use this option, we recommend that you paste the CSR into a tool such as Notepad.
    If you forget and copy some other item, you still have access to the CSR, and you do not have to go back and recreate it.
    Click Save to File.Saves the CSR as a .txt file to the Windows server or workstation.
    We recommend that you use this option.
  7. Use a text editor (such as Notepad) to open the file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it into the DigiCert order form.

    Ready to Order Your SSL Certificate

    Buy NowLearn More
  8. After you receive your SSL Certificate from DigiCert, you can install it.

2. Windows Azure Website: Using the DigiCert Utility & Azure to Install Your SSL Certificate

If you have not yet used the DigiCert® Certificate Utility for Windows to create a CSR and ordered your certificate, see Windows Azure Website: Creating Your CSR with the DigiCert Utility.

Azure ssl cost

After receiving your SSL Certificate, you need to install it on your Microsoft server and then, you can configure it for your Windows Azure website.

To install and configure your SSL Certificate, do the following:

  1. Use the DigiCert Utility to import your SSL Certificate to your Windows server.

  2. Use the DigiCert Utility to export your SSL in a .PFX format.

  3. Configure SSL for your Windows Azure website.

i. How to Import Your SSL Certificate Using the DigiCert Certificate Utility

  1. On the server where you created the CSR, open the ZIP file containing your SSL Certificate and save the contents of the file (i.e. your_domain_name.cer).

  2. Run the DigiCert® Certificate Utility for Windows.

    Double-click DigiCertUtil.

  3. In DigiCert Certificate Utility for Windows©, click SSL (gold lock) and then, click Import.

  4. In the Certificate Import wizard, click Browse to browse to the .cer (i.e. your_domain_com.cer) certificate file that DigiCert sent you, select the file, click Open, and then, click Next.

  5. In the Enter a new friendly name or you can accept the default box, enter a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.

    We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: azure.cert-digicert-expiration.date. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.

  6. To import the SSL Certificate to your server, click Finish.

    You should receive a message that the certificate was successfully imported.

  7. You should now see your SSL Certificate in the DigiCert Certificate Utility for Windows©, under SSL Certificates.

    You are now ready to export your SSL Certificate as a .pfx file.

ii. How to Export Your SSL Certificate Using the DigiCert Certificate Utility

After importing your SSL Certificate to your Microsoft server, you use the DigiCert Certificate Utility to export your SSL Certificate as a .pfx file.

  1. Run the DigiCert® Certificate Utility for Windows.

    Double-click DigiCertUtil.

  2. In DigiCert® Certificate Utility for Windows, click SSL (gold lock), select the SSL Certificate to export to a .pfx file, and then click Export Certificate.

  3. In the Certificate Export wizard, select Yes, export the private key, select pfx file, check Include all certificates in the certification path if possible, and then, click Next.

  4. In the Password and Confirm Password boxes, enter and confirm your password, and then, click Next.

    Note: This password is used when you import the SSL Certificate onto other Windows type servers or other servers or devices that accept a .pfx file.

  5. Next, click to browse for and select the location where you want to save the .pfx file, and then, click Save.

  6. To export the SSL Certificate with private key, click Finish.

  7. After you receive the 'Your certificate and key have been successfully exported' message, click OK.

    Your SSL Certificate has been exported as a .pfx file.

iii. How to Configure SSL for Your Windows Azure Website

Once you have the .pfx file, you can use it to configure SSL for your Windows Azure website.

Configuring SSL for Your Windows Azure Website

  1. In a browser, open and log into the Windows Azure Management Portal.

  2. On the web sites tab, under NAME, select your website.

  3. On your website’s page, click CONFIGURE.

  4. On the CONFIGURE tab, in the certificates section, under SUBJECT, click upload a certificate.

  5. In the Upload a certificate window, under FILE, click BROWSE FOR FILE, and then, browse for and select the .pfx certificate file that you exported using the DigiCert Certificate Utility.

  6. In the PASSWORD box, enter the password that you created to export the .pfx file.

  7. To upload the SSL Certificate, click the checkmark.

  8. On the CONFIGURE tab, under ssl bindings, in the Choose a domain name drop-down list, select the domain name that you want to secure with SSL.

  9. In the Choose a certificate drop-down list, select the SSL Certificate that you want to use to secure your website.

  10. In the final drop-down list, select one of the following options:

    IP SSL
    (Traditional Method)
    IP based SSL associates the SSL Certificate with the domain name. It maps the dedicated public IP address of the server to the domain name.
    This option requires each domain name (example.com, example1.com) that is associated with your service to have its own dedicated IP address.
    SNI SSLSNI based SSL allows multiple domains to share one IP address. Each domain has its own SSL Certificate.
    Most modern browsers support SNI, but some older versions do not. For information on browser support for SNI, see IIS 8 and IIS 8.5 SNI Browser Support.
  11. Click Save.

    Your Microsoft Azure website is now configured to accept secure connections.

IP based SSL and Custom Domain Configured Using an A Record

If you selected IP SSL, and you used an A record to configure your custom domain name, you need to complete these additional steps.

  1. Locate the dedicated IP address assigned to your website.

    After you used IP based SSL binding to configure SSL for your website, a dedicated IP address was assigned to your website. You can see this IP address, on the Dashboard page of your website, in the quick glance section, under VIRTUAL IP ADDRESS.

    This IP address is different from the virtual IP address that was used to configure the A record for you domain.

  2. Modify the A record for your custom domain name to point to this IP address.

    Use the tools provided by your domain name registrar to make this modification.

Verifying Your Certificate is Configured Correctly

To verify that you correctly configure the SSL Certificate, use https to visit your website.

Azure App Service Ssl

Test Your Installation

Openssl Azure Devops

If your website is publicly accessible, our DigiCert® SSL Installation Diagnostics Tool can help you diagnose common problems.

Troubleshooting

If you run into certificate errors, try repairing your certificate trust errors using DigiCert® Certificate Utility for Windows. If this does not fix the errors contact support.