Renew SSL Certificate for your Azure WebApp and update SSL Binding

2 min read

In this article I will show you how to renew the SSL certificate for  your Azure WebApp and update the SSL Binding step by step.

Pre-requisites.

  • Map a custom DNS name to your web app
  • Choose at least a Basic Tier plan on your Azure WebApp
  • Considerations for your SSL certificate – will go into the detailed process on this article:
    • Signed by a trusted certificate authority
    • Exported as a password-protected PFX file
    • Contains private key at least 2048 bits long
    • Contains all intermediate certificates in the certificate chain
    • PFX file, if you don´t know the process to generate it:
      • Purchase your Certificate with your preferred vendor
      • Generate the Certificate Request and the Private KEY using Open SSL:
      •  Install OpenSSL
      • Run the following command in CMD:

If you have Windows OS, download the OpenSSL from here: https://sourceforge.net/projects/openssl/

Generate your private key and public certificate

Let´s start by opening the OpenSSL console and execute the following:

openssl req -nodes -newkey rsa:2048 -keyout C:\Users\daver\Documents\SSL\wikiazureSSLcert.key -out C:\Users\daver\Documents\SSL\wikiazureSSLcert.csr

Renew your SSL Certificate for your Azure webapp

You will get 2 files: the .CSR and the KEY. Now you will need to provide the details for your CSR:

Generate a 2048 bit RSA Key

Once you have this 2 files, proceed to generate a 2048-bit RSA key pair, the code below encrypts them with a password you provide, and writes them to a file.

genrsa -des3 -out 'C:\Users\daver\Documents\SSL\wikiazureSSLprivate.pem' 2048

SSL-renew-certificate-wikiazure-daverendon

Export the RSA Public Key to a File

Now proceed to export the RSA Public Key to a File using the code below:

rsa -in 'C:\Users\daver\Documents\SSL\wikiazureSSLprivate.pem' -outform -PEM -pubout -out 'C:\Users\daver\Documents\SSL\wikiaureSSLpublic.pem'

02-SSL-renew-certificate-wikiazure-daverendon

Now you will have to send the .CSR to your vendor so that they can emit the SSL certificate.

Create a .pfx certificate file using OpenSSL

Once they get back to you with the certificate, you should find a .zip file containing:

  • Root CA Certificate – AddTrustExternalCARoot.crt
  • Intermediate CA Certificate – USERTrustRSAAddTrustCA.crt
  • Intermediate CA Certificate – SectigoRSADomainValidationSecureServerCA.crt
  • Your PositiveSSL Certificate – wikiazure_com.crt

yourdomain.crt is a public certificate issued for your domain name.

You might need to create a correct CA bundle for it with the other two files. Optionally your vendor can provide you that .ca-bundle file. Once you have it go back to your CMD and generate the .PFX file:

openssl pkcs12 -export -inkey C:\Users\daver\Documents\SSL\wikiazureSSLcert.key -in C:\Users\daver\Documents\SSL\wikiazure_com.crt -certfile C:\Users\daver\Documents\SSL\wikiazure_com.ca-bundle -out C:\Users\daver\Documents\SSL\wikiazureSSLcert.pfx

Create-pfx-certificate-file-using-OpenSSL-wikiazure-daverendon

You will need to provide a password and confirm it, then you will see an output like the image below:

Renew-SSL-Certificate-wikiazure-3

Once you have the .PFX file, go to the Azure Portal and select your Webapp, then go to the SSL Settings blade:

ssl-settings-wikiazure-daverendon

Then click on Bindings, this let you specify which certificate to use when responding to requests to a specific hostname over HTTPS. SSL Binding requires valid private certificate (.pfx) issued for the specific hostname. Proceed to delete the current binding:

delete-binding-wikiazure

*Note: if you try to upload the new certificate and delete the old one before deleting the binding you will see an error like below:

warning-certificate-delete-wikiazure

Once you deleted the binding, click on private certificates and select upload certificate as shown below:

SSL-certificate-renew-webapp-wikiazure-daverendon

Now proceed to upload your certificate(.pfx) and provide the password:

add-private-certificate-wikiazure-daverendon

Once you added the private certificate, click on upload:

upload-private-certificate-wikiazure

Once you uploaded the certificate you will see a notification like this:

add-certificate-notification-wikiazure

Finally, go to your certificates and remove the old certificate by clicking the old certificate and select “Delete”:

update-ssl-certificate-wikiazure

Then confirm you want to delete that certificate:

confirm-delete-certificate-wikiazure

Go back to enable SSL binding, click on Add SSL binding and select the Hostname, certificate and choose either SSL Type (IP Based SSL or SNI SSL):

update-ssl-binding-wikiazure

You should see a notification like below:

configuring-ssl-binding-wikiazure

I strongly suggest you to enforce HTTPS to en sure you can redirect all HTTP requests to the HTTPS port. You can do so in the same binding blade and in the HTTPS Only: click ON.

protocol-settings-wikiazure

If possible enable the minimum TLS version to 1.1 or 1.2.

Hope this helps

Leave a Reply

Your email address will not be published. Required fields are marked *