Azure App Service Certificate Bindings

Secure your web applications with custom domains and SSL/TLS certificates.

On this page:

Introduction to Certificate Bindings

Certificate bindings in Azure App Service enable you to secure your custom domain names with SSL/TLS certificates, ensuring encrypted communication (HTTPS) between your users and your web application. This is crucial for data security, user trust, and search engine optimization (SEO).

Azure App Service supports various methods for obtaining and managing SSL certificates, including Azure App Service Certificates, Key Vault certificates, and uploading your own PFX files.

Types of Bindings

App Service supports two primary types of SSL bindings:

  • Server Name Indication (SNI) SSL: This is the most common type. It allows multiple SSL certificates to be hosted on the same IP address. Clients supporting SNI can request the correct certificate based on the hostname they are trying to access.
  • IP SSL: This binding assigns a dedicated IP address to your App Service for the SSL certificate. It's typically used for older clients that do not support SNI.

Prerequisites

Before you can create a certificate binding, ensure you have the following:

  • An Azure App Service plan and web app.
  • A custom domain name mapped to your App Service.
  • An SSL/TLS certificate available, either purchased from a third-party Certificate Authority (CA), obtained from Azure App Service Certificates, or stored in Azure Key Vault.
  • If using your own certificate, you'll need the .pfx file and its password.

How to Create a Certificate Binding

You can create certificate bindings using either the Azure portal or the Azure CLI.

Using the Azure Portal

  1. Navigate to your App Service in the Azure portal.
  2. In the left-hand menu, under "Settings", select TLS/SSL settings.
  3. Go to the Private Key Certificates (.pfx) or App Service Managed Certificates tab, depending on your certificate source.
  4. If uploading a PFX: Click Upload Certificate. Provide the certificate file (.pfx), enter the password, and optionally give it a friendly name. Click Upload.
  5. If using App Service Managed Certificates: Click Create App Service Managed Certificate. Select your custom domain and click Create.
  6. Go to the Custom Domains tab.
  7. Find your custom domain and click Add binding.
  8. In the blade that appears, select the custom domain, the uploaded certificate (or managed certificate), and the TLS/SSL type (SNI SSL or IP SSL).
  9. Click Add Binding.

Using Azure CLI

For uploading a PFX certificate:

az webapp config ssl upload --certificate-file <path-to-pfx> --certificate-password <password> --resource-group <your-resource-group> --name <your-webapp-name>

For creating the binding:

az webapp config hostname add --webapp-name <your-webapp-name> --resource-group <your-resource-group> --hostname <your-custom-domain>
az webapp config ssl bind --certificate-thumbprint <certificate-thumbprint> --ssl-type SNI --resource-group <your-resource-group> --name <your-webapp-name> --hostname <your-custom-domain>

You can find the certificate thumbprint using az webapp config ssl list.

Managing Existing Bindings

You can view, update, or delete existing certificate bindings via the TLS/SSL settings section in the Azure portal. Here you can also manage the certificates themselves, including their expiration dates and renewal processes.

Important: Regularly monitor your certificate expiration dates to avoid service interruptions. Azure App Service Managed Certificates automatically renew.

IP SSL Bindings

IP SSL bindings are less common now but can be necessary for compatibility with legacy clients. To use IP SSL:

  1. You must have a dedicated IP address assigned to your App Service. This is typically achieved by purchasing an "IP-based SSL certificate" from a CA and binding it to a dedicated IP.
  2. In the Azure portal, navigate to TLS/SSL settings > IP SSL Certificates.
  3. Click Upload IP SSL Certificate.
  4. Provide the .pfx file and password.
  5. After uploading, go to Custom Domains and add the binding, selecting the IP SSL certificate and "IP SSL" as the type.

Tip: IP SSL bindings incur additional costs. SNI SSL is generally recommended unless specific compatibility is required.

Binding an SSL Certificate

The process of binding an SSL certificate involves associating a specific certificate with a custom domain for your App Service. This ensures that when a user accesses your domain via HTTPS, the correct certificate is presented.

Binding a Wildcard Certificate

Wildcard certificates (e.g., *.example.com) can secure multiple subdomains with a single certificate. The binding process is similar to binding a standard SSL certificate. Ensure the wildcard certificate is correctly uploaded or available in Key Vault, and then create the SNI SSL binding for your subdomains.

Binding a PFX Certificate

A .pfx file is a standard format for bundling your SSL certificate and its private key. To bind a .pfx file:

  1. Ensure the .pfx file is password protected.
  2. Use the Azure portal's TLS/SSL settings > Private Key Certificates (.pfx) section to upload it.
  3. Once uploaded, select it when adding a binding for your custom domain.
App Service TLS/SSL Settings

Troubleshooting Common Issues

  • Certificate not binding: Verify the certificate's validity, expiration date, and that it covers the custom domain. Ensure the private key is included in the PFX file.
  • HTTPS not working: Check that the binding is correctly configured in App Service. Ensure any firewall rules or network configurations aren't blocking traffic. Clear your browser cache.
  • Mixed content warnings: Ensure all resources (images, scripts, stylesheets) are loaded over HTTPS.
  • SNI support: If you encounter issues with older browsers or clients, consider if an IP SSL binding is necessary.