Overview of Managed Certificates

Azure App Service provides a convenient way to manage SSL/TLS certificates for your custom domains. Managed certificates are free, automatically renewed, and integrated directly with your App Service, simplifying the process of securing your web applications.

Key Benefits

  • Free of Charge: No cost associated with obtaining or renewing these certificates.
  • Automatic Renewal: Certificates are renewed automatically before they expire, ensuring continuous availability.
  • Simplified Management: No need for manual certificate acquisition, upload, or renewal processes.
  • Secure: Uses industry-standard TLS encryption to protect data in transit.
  • Domain Validation: Automatically validates ownership of your custom domain.

When to Use Managed Certificates

Managed certificates are ideal for most scenarios where you need to secure a custom domain mapped to an Azure App Service. This includes:

  • Public-facing websites and APIs.
  • Applications requiring HTTPS for security and trust.
  • Scenarios where cost-effective and low-maintenance certificate management is desired.

Limitations

While powerful, managed certificates have some limitations:

  • Applies to custom domains only: Cannot be used for the default .azurewebsites.net domain.
  • Single domain and wildcard support: Supports either a single custom domain (e.g., www.example.com) or a wildcard certificate (e.g., *.example.com). You cannot cover both www.example.com and example.com with a single managed certificate.
  • Private certificates: Not suitable for private certificates required by specific compliance standards or internal networks.
  • App Service plans: Available for Basic, Standard, Premium, and Isolated App Service plan tiers.
Important Note: If you need to secure both the root domain (e.g., example.com) and a subdomain (e.g., www.example.com), you will need to create separate managed certificates for each.

How to Enable Managed Certificates

Enabling managed certificates is a straightforward process within the Azure portal:

  1. Navigate to your App Service in the Azure portal.
  2. In the left-hand menu, select TLS/SSL settings.
  3. Go to the Private Key Certificates (.pfx) tab.
  4. Click on Create Managed Certificate.
  5. Select the custom domain you want to secure.
  6. Click Create.

Azure will then provision, validate, and bind the certificate to your domain. This process may take a few minutes.

Managing Existing Managed Certificates

You can view and manage your existing managed certificates from the same TLS/SSL settings blade. Here you can see:

  • Certificate expiration dates.
  • The custom domains they are associated with.
  • Options to delete a certificate if necessary.

Troubleshooting

If you encounter issues enabling or renewing a managed certificate, consider the following:

  • Ensure your custom domain is correctly mapped to your App Service.
  • Verify that there are no conflicting SSL bindings for the same domain.
  • Check the App Service logs for detailed error messages.
  • If you're using DNS TXT records for domain validation, ensure they are correctly configured and have propagated.