This tutorial will guide you through the certificate installation process on the Microsoft Azure Web App. The SSL certificate can be downloaded from the SSLs.com account or the email from the Certificate Authority; it should be converted into PKCS#12 (PFX) format containing a private key.The ways to convert an SSL certificate are described below. The process may differ depending on the way you obtained the CSR code used for certificate activation.
Note: Certificate installation is allowed starting from the Basic App Service plan. It is not possible to use a custom SSL certificate with the Free or Shared plan.. You can find more details here.
If you generated a CSR code on your Windows server, it is necessary to take the following steps to receive a PFX file:
- Complete the certificate request through the IIS management console.
- Export the PFX file using either the MMC or IIS management console. Both options are described here.
In case you have an SSL certificate, a private key and a CA bundle in separate files in PEM format, they can be converted into PFX (PKCS#12 format) in two ways:
- Using this online tool.
- Using the OpenSSL command if you have a Linux-based terminal:
openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in certificate.crt -certfile CA_bundle.crt
After successful converting, a PFX file should be uploaded to the Azure portal in order to assign it to your Web App:
The steps below describe the process of configuring HTTPS connection on your domain:
1) Go to App Services, select the name of your App and click SSL certificates under the Settings section:
2) The SSL certificate should appear on the list. The next step is to set a binding for the domain you would like to secure with the SSL certificate. Click on Add binding to proceed:
3) On the Add SSL Binding panel, select the domain name you would like to secure. You are to choose whether to use Server Name Indication (SNI) or an IP-based SSL. Click on the Add binding button to complete the process:
Note: An IP-based SSL assigns your server’s public IP address to the domain name. If you prefer to proceed with this option, it will be required to have a dedicated IP address for each your domain.
The SNI SSL option allows hosting multiple domains on the same IP address with a separate certificate used for each domain name. Most modern browsers (including Internet Explorer, Chrome, Firefox and Opera) support SNI; however, older browsers like Internet Explorer 6, Mozilla Firefox 2.0 or earlier may not support it.
If you use the SNI SSL option, that’s it. No additional steps are needed. However, if you created an IP-based SSL binding, App Service will create a dedicated IP address for the binding as the aforementioned option requires one.
If you used an A record to point your custom domain to your Azure app, and you just added an IP-based SSL binding, it is required to update the existing A record in the domain DNS settings with the new IP address that was assigned to the domain.
The new IP address can be found on the Custom domain page under settings of your app, right above the Hostnames section. It is listed as External IP Address.
Congratulations! The certificate is now installed on the server. You can securely access your website by adding the https:// protocol in front of the domain name: https://<your_domain>.
Certificate installation can also be verified with the help of the OpenSSL command provided below. It should list the chain of all certificates:
openssl s_client -showcerts -connect <your_domain>:443 -servername <your_domain> -showcerts
Alternatively, feel free to use this online SSL checker.
If the certificate is installed correctly, the result will be shown as follows:
Enforcing HTTPS for Azure Web App
In order to set an automatic HTTPS redirect to a secure connection, one needs to add a special redirect rule to the .web.config file. By default, it is located in the following folder: D:homesitewwwroot. The file can be modified through the Kudu debug console for your app located at https://<appname>.scm.azurewebsites.net/DebugConsole.
The rewrite rule should be added between <rules> </rules> tags:
<rule name=”Force HTTPS” enabled=”true”>
<match url=”(.*)” ignoreCase=”false” />
<conditions>
<add input=”{HTTPS}” pattern=”off” />
</conditions>
<action type=”Redirect” url=”https://{HTTP_HOST}/{R:1}” appendQueryString=”true” redirectType=”Permanent” />
</rule>
After the redirect is applied, anyone who enters example.com or www.example.com in a browser will be automatically redirected to https://example.com.