SSL Certificates - Azure App Service

Secure your web applications with SSL/TLS certificates in Azure App Service. Learn how to bind custom SSL certificates, manage certificate authorities, and understand the different options available for securing your custom domains.

Understanding SSL Certificates in App Service

Azure App Service allows you to associate SSL certificates with custom domains hosted on your App Service. This enables HTTPS connections, which are essential for security and search engine optimization.

Types of SSL Certificates Supported

• App Service Managed Certificates: Free, auto-renewing certificates provided by Azure for custom domains mapped to your App Service. Ideal for simple scenarios.
• Imported Certificates (.pfx): Certificates you purchase from a third-party Certificate Authority (CA) and upload to your App Service. This provides more control and supports wildcard or multi-domain certificates.
• Key Vault Certificates: Certificates stored and managed in Azure Key Vault, which can then be referenced by your App Service. This offers enhanced security and centralized management.

How to Secure a Custom Domain with SSL

1. Using App Service Managed Certificates (Recommended for simplicity)

1. Navigate to your App Service in the Azure portal.
2. Under the "Settings" section, select "Custom domains".
3. If you haven't already, add your custom domain.
4. Once the domain is verified, select "Add binding".
5. In the "Add TLS/SSL Binding" pane, choose "App Service Managed Certificate" from the certificate dropdown.
6. Select your custom domain and click "Add binding". Azure will automatically provision and renew the certificate.

2. Importing a Custom SSL Certificate (.pfx)

You'll need a certificate in PKCS #12 format (.pfx) that includes the private key.

1. Navigate to your App Service in the Azure portal.
2. Under the "Settings" section, select "TLS/SSL settings".
3. Go to the "Private Key Certificates (.pfx)" tab.
4. Click "Upload Certificate".
5. Browse for your .pfx file, enter the certificate password, and click "Upload".
6. Once uploaded, go back to "Custom domains".
7. Select "Add binding" for your custom domain.
8. In the "Add TLS/SSL Binding" pane, choose your uploaded certificate from the dropdown.
9. Select the SSL type (SNIP-based or IP-based SSL) and click "Add binding".

3. Using Azure Key Vault Certificates

This method requires you to have your certificate stored in Azure Key Vault.

1. Ensure your App Service has managed identity enabled or has permissions to access your Key Vault.
2. Navigate to your App Service in the Azure portal.
3. Under the "Settings" section, select "TLS/SSL settings".
4. Go to the "Key Vault Certificates" tab.
5. Click "Select a Key Vault certificate".
6. Choose your Key Vault, select the certificate, and specify the version.
7. Click "Add binding" for your custom domain, selecting the Key Vault certificate.

Advanced Configurations and Considerations

• SNI SSL vs. IP SSL: SNI SSL (Server Name Indication) is the modern, cost-effective way to host multiple SSL certificates on a single IP address. IP SSL assigns a dedicated IP address to each certificate, which may be necessary for older clients that don't support SNI.
• Certificate Renewal: App Service Managed Certificates renew automatically. For imported or Key Vault certificates, ensure you have a process in place for timely renewal to avoid service interruptions.
• Wildcard Certificates: If you need to secure multiple subdomains (e.g., *.yourdomain.com), you'll need a wildcard certificate, which can be purchased from a third-party CA or managed via Key Vault.
• Binding Order: When multiple certificates are bound to custom domains, ensure the correct certificate is associated with each domain.

Related Documentation