Eduard Keilholz

Hi, my name is Eduard Keilholz. I'm a Microsoft developer working at 4DotNet in The Netherlands. I like to speak at conferences about all and nothing, mostly Azure (or other cloud) related topics.
LinkedIn | Twitter


I received the Microsoft MVP Award for Azure
Eduard Keilholz
HexMaster's Blog
Some thoughts about software development, cloud, azure, ASP.NET Core and maybe a little bit more...
Free Certificates for All

Why did ‘they’ not scream this from the rooftops? CERTIFICATES ARE NOW FREE! Yes I know, there was Let’s Encrypt allowing you to install free certificates on your web app. Previously you had the ability to add an extension with a worker that would install and renew certificates from Let’s Encrypt on your Web App. However, this extension often failed or crashed and a lot of plumbing was required to get it up and running. Now, everything changed!

Prerequisites

To install free managed certificates on your Web App in Azure, you need to map a domain name to your app service. Also, for a root domain (like hexmaster.nl), you cannot have IP restrictions. Then there are a couple of limitations:

  • Does not support wildcard certificates.
  • Does not support usage as a client certificate by certificate thumbprint (removal of certificate thumbprint is planned).
  • Is not exportable.
  • Is not supported on App Service Environment (ASE).
  • Is not supported with root domains that are integrated with Traffic Manager.
  • If a certificate is for a CNAME-mapped domain, the CNAME must be mapped directly to .azurewebsites.net

But to be honest, all these restrictions sound pretty reasonable to me.

Installation

To install your certificate, go to the Azure Portal and navigate to your Web App. Then open the TLS/SSL settings blade and click Private Key Certificates (.pfx).

Create a managed SSL Certificate

Here you’ll see a new fourth option called ‘Create App Service Managed Certificate’. If you click that, a new dialog opens showing a dropdown with all applicable custom domains. Select the desired domain and click the Create button.

Maintenance

There is no maintenance required. The certificate is renewed continuously in six-month increments. Certificates will be renewed 45 days before they expire.