In this article I will show you how to renew the SSL certificate for your Azure WebApp and update the SSL Binding step by step.
- Map a custom DNS name to your web app
- Choose at least a Basic Tier plan on your Azure WebApp
- Considerations for your SSL certificate – will go into the detailed process on this article:
- Signed by a trusted certificate authority
- Exported as a password-protected PFX file
- Contains private key at least 2048 bits long
- Contains all intermediate certificates in the certificate chain
- PFX file, if you don´t know the process to generate it:
- Purchase your Certificate with your preferred vendor
- Generate the Certificate Request and the Private KEY using Open SSL:
- Install OpenSSL
- Run the following command in CMD:
If you have Windows OS, download the OpenSSL from here: https://sourceforge.net/projects/openssl/
Generate your private key and public certificate
Let´s start by opening the OpenSSL console and execute the following:
openssl req -nodes -newkey rsa:2048 -keyout C:\Users\daver\Documents\SSL\wikiazureSSLcert.key -out C:\Users\daver\Documents\SSL\wikiazureSSLcert.csr
You will get 2 files: the .CSR and the KEY. Now you will need to provide the details for your CSR:
Generate a 2048 bit RSA Key
Once you have this 2 files, proceed to generate a 2048-bit RSA key pair, the code below encrypts them with a password you provide, and writes them to a file.
genrsa -des3 -out 'C:\Users\daver\Documents\SSL\wikiazureSSLprivate.pem' 2048
Export the RSA Public Key to a File
Now proceed to export the RSA Public Key to a File using the code below:
rsa -in 'C:\Users\daver\Documents\SSL\wikiazureSSLprivate.pem' -outform -PEM -pubout -out 'C:\Users\daver\Documents\SSL\wikiaureSSLpublic.pem'
Now you will have to send the .CSR to your vendor so that they can emit the SSL certificate.
Create a .pfx certificate file using OpenSSL
Once they get back to you with the certificate, you should find a .zip file containing:
- Root CA Certificate – AddTrustExternalCARoot.crt
- Intermediate CA Certificate – USERTrustRSAAddTrustCA.crt
- Intermediate CA Certificate – SectigoRSADomainValidationSecureServerCA.crt
- Your PositiveSSL Certificate – wikiazure_com.crt
yourdomain.crt is a public certificate issued for your domain name.
You might need to create a correct CA bundle for it with the other two files. Optionally your vendor can provide you that .ca-bundle file. Once you have it go back to your CMD and generate the .PFX file:
openssl pkcs12 -export -inkey C:\Users\daver\Documents\SSL\wikiazureSSLcert.key -in C:\Users\daver\Documents\SSL\wikiazure_com.crt -certfile C:\Users\daver\Documents\SSL\wikiazure_com.ca-bundle -out C:\Users\daver\Documents\SSL\wikiazureSSLcert.pfx
You will need to provide a password and confirm it, then you will see an output like the image below:
Once you have the .PFX file, go to the Azure Portal and select your Webapp, then go to the SSL Settings blade:
Then click on Bindings, this let you specify which certificate to use when responding to requests to a specific hostname over HTTPS. SSL Binding requires valid private certificate (.pfx) issued for the specific hostname. Proceed to delete the current binding:
*Note: if you try to upload the new certificate and delete the old one before deleting the binding you will see an error like below:
Once you deleted the binding, click on private certificates and select upload certificate as shown below:
Now proceed to upload your certificate(.pfx) and provide the password:
Once you added the private certificate, click on upload:
Once you uploaded the certificate you will see a notification like this:
Finally, go to your certificates and remove the old certificate by clicking the old certificate and select “Delete”:
Then confirm you want to delete that certificate:
Go back to enable SSL binding, click on Add SSL binding and select the Hostname, certificate and choose either SSL Type (IP Based SSL or SNI SSL):
You should see a notification like below:
I strongly suggest you to enforce HTTPS to en sure you can redirect all HTTP requests to the HTTPS port. You can do so in the same binding blade and in the HTTPS Only: click ON.
If possible enable the minimum TLS version to 1.1 or 1.2.
Hope this helps