The Issue
Nowadays, it’s quite common to use SSL for everything. Currently, there is no easy way to generate a certificate request (CSR) directly from Azure Web apps, like you normally do from IIS or from Windows Certificate Snap In. So you’ll have a hard time with azure custom ssl support.
The Solution – Generate a CSR
Fortunately, there is a very handy tool from Digicert, that you can download here:
https://www.digicert.com/util/
1 – Open the tool and click generate CSR:
2 – Fill out the details according to your needs:
3 – Save the file as a CSR, and use it on your certificate provider (in this example, I will be using Digicert, but there are many others available: Geotrust, RapidSSL, Comodo, etc):
Import the CSR
4 – After processed, you should get a certificate file back (.cer, or .crt). Import that via the tool:
5 – You an add a friendly name or leave it blank, not really useful as you won’t be keeping the cert on your local computer anyways:
Export a PFX
6 – Your certificate will show up on the list, select it and hit export:
7 – Keep the whole chain and the key as a pfx file:
8 – A password is required since you are exporting the private key:
9 – Save the pfx, and you can go ahead and right click the cert to remove it from your local computer:
Import into Azure
10 – Go back to azure, select your web app, select SSL certificates, and click “Upload Certificate”
11 – Select the pfx file you exported, type in the password you defined earlier, and hit upload:
12 – If all goes well, you get a nice message informing the import was successful:
13 – Next step, you need to add a binding to your cert:
14 – Next step, try out your site with https, and see if you get the green lock. At this point, you can still access the site via http, I recommend leaving like this until you fully tested https is working:
15 – Last step, once you are confident your site is fully working in https, is to enable the redirect from http to https, by selecting https only on the same page (SSL settings at the very top). I also recommend setting your site to TLS 1.2:
16 – As a final test, head out to https://www.ssllabs.com/ssltest/ and test your site:
Congratulations! You are done! Now, put a reminder for yourself so you don’t forget to renew the certificate 🙂
Leave a Reply