Installing an SSL certificate on Microsoft Azure Web App

Installing SSL is easy with our installation service.

An SSL certificate should be activated, validated and installed on the server. In case of Azure you will need to upload it to the Azure portal. The SSL certificate can be downloaded from the Namecheap account or the email; it should be converted into PKCS#12 (PFX) format containing a private key.

If you generated a CSR code for the certificate activation on your Windows server, it is necessary to take the following steps to receive a PFX file:

  1. Complete the certificate request through the IIS management console.
  2. Export the PFX file using either the MMC or IIS management console. Both options are described here.

In case you have an SSL certificate, a private key and CA bundle in separate files in PEM format, it can be converted into PFX using this tool.

Alternatively, an SSL certificate can be converted into the necessary format using the following OpenSSL command if you have a Linux-based terminal:

openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in certificate.crt -certfile CA_bundle.crt

Once you have the PFX file, you can upload it to the Azure portal in order to assign it to your Web App.

  • Go to "App Services", select the name of your App and click Certificates under the "Settings" section:
    azure1_1
Once uploaded, the next step is to set binding for the domain you would like to secure with the SSL certificate and to configure a secure HTTPS connection.
  • Select "Custom domains" under the "Settings" section, and click on Add binding to proceed:
    azure1_2
On the "Add TLS/SSL binding" tab, select your SSL certificate from the drop-down list. You may also select whether to use Server Name Indication (SNI) or an IP-based SSL.
  • Click Add to complete the certificate installation:
    azure1_3
Note: An IP-based SSL assigns your server’s public IP address to the domain name. This options requires each domain to have a dedicated IP.

Parts highlighted in yellow act as start and end points of editing in the original article. These sentences remain the same with no changes.

SNI SSL allows multiple domains to share the same IP address with a separate certificate used for each domain name. Most modern browsers (including Internet Explorer, Chrome, Firefox and Opera) support SNI; however, older browsers like Internet Explorer 6, Mozilla Firefox 2.0 or earlier may not support it. For more information on the Server Name Indication technology, check this article.

If you use the SNI SSL option, there is no need to take any other steps. However, if you created an IP-based SSL binding, App Service will create a dedicated IP address for the binding as an IP-based SSL requires one.

If you used an A record to point your custom domain to your Azure app, and you just added an IP-based SSL binding, you will need to update the existing A record in the domain DNS settings with the new IP address that was assigned to the domain.

You can find this IP address on the "Custom domains" page:

azure1_5

The certificate is now installed on the server. You may check it by opening the domain name in the browser and specifying the secure protocol: https://<your_domain>.

Certificate installation can also be verified with the help of the OpenSSL command:

openssl s_client -showcerts -connect <your_domain>:443 -servername <your_domain> -showcerts

Alternatively, feel free to use this online SSL checker. If the certificate is installed correctly, the result will be shown as follows:

azure1_4

Enforcing HTTPS for Azure Web App

In order to set an automatic HTTPS redirect for a secure connection, one needs to add a special redirect rule to the .web.config file. By default, it is located in the following folder D:\home\site\wwwroot The file can be modified through the Kudu debug console for your app located at https://<appname>.scm.azurewebsites.net/DebugConsole.
The rewrite rule should be added between <rules> </rules> tags:

<rule name="Force HTTPS" enabled="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
appendQueryString="true" redirectType="Permanent" />
</rule>

After the redirect is applied, anyone who enters example.com or www.example.com in a browser will be automatically redirected to https://example.com .

Updated
Viewed
51761 times

Need help? We're always here for you.

notmyip