Azure App Service Certificate is a SSL certificate purchased from Azure. It comes with many benefits and easy integrations with other Azure resources. The certificates are issued by GoDaddy's Certificate API in partnership with Azure.

You will see ASC be used a lot for substitute for App Service Certificate in this article

App Service Certificate

Table of Contents

Benefits

Here are benefits that the App Service Certificate offers:

  • Purchased and paid for from an Azure Subscription
  • root/apex/naked domain (get www subdomain for free)
  • Wildcard certificate option covering all subdomains (*.domain.com)
  • SHA-2 and 2048-bit encryption
  • A Domain Validated Certificates (DV) with easy and intuitive validation process
  • Stored in KeyVault
  • Can be exported (portal & powershell)
  • Easy integration with Azure App Service
  • Can be used in Azure VMs
  • Free Re-key and Sync options
  • Issued for 1 year
  • Issued by Go Daddy Secure Certificate Authority - G2
  • Resouce type - Microsoft.CertificateRegistration/certificateOrders

Creation

Create - https://ms.portal.azure.com/#create/Microsoft.SSL

Name - which will be just your Azure resouce name of the cerificate so you can easily recognize it

Naked Domain Host Name - choose the domain you want to secure (if wildcard then type *.domain.com)

Choose Subscription and Resouce Group to hold the certificate

App Service Certificate creation

Next is Certificate SKU

S1 Standard - one subdomain or a root domain (+ www for free combo)

Cost: ~$69.99/year (might sound a little expensive compared to others but consider the benefits we listed above)

W1 Wild Card - Covers unlimited subdomains (+ naked domain also covered). Example: If ordered for *.contoso.com you will get contoso.com also covered as a SAN (Subject Alternative Name)

Cost: ~$299.99/year (actually a fair price compared to other vendors)

More info: 

App Service Certificate pricing

Next is Legal Terms that you have to accept

App Service Certificate legal terms

And that's it! This is how the complete purchase form should look like before you order it

App Service Certificate ready

When you are ready click Create. It should take not more than 10 minutes to create it.

You will find the certificate in your Azure resouces. Open it because it needs configuration before it can be used.

The certificate will first appear in "Pending Issuance" state. This means that you need to verify that you own the domain in question before GoDaddy will issue the certificate (this is of course normal measures so we don't just buy microsoft.com or google.com SSL certificates without proving that we have access to these domains)

App Service Certificate requires validation

Configuration

Click on the orange tile or go to Certificate Configuration blade. There you will find the 3 steps (they are basically 2) that you need to follow so the certificate will become usable.

App Service Certificate configuration

Key Vault Integration

First we need Import the certificate into Key Vault. That's a mandatory option and this is where the certificate will be kept. Click on the checkbox to start the process.

App Service Certificate import to KeyVault

Now you might come across this error when you try to import it to Key Vault. This means that you are using an account who is a "Guest" type in the current Azure AD tenant. Unfortunatley, this is no workaround for this and you will just have to ask someone from the Azure AD tenant who is not a Guest and has access to the KeyVault to do this for you.

You do not have permission to get the service principal information needed to assign a Key Vault to your certificate

If your user is fine you will see the below blade. Click on Configure required settings. This will either prompt you to choose and existing Key Vault in which to import the certificate or create a new one.

App Service Certificate import to KeyVault - choose KeyVault 

Verification

Step 2 and the final process is the Verification process. Now you need to prove that you have access to the domain. There are 5 ways of verifying your domain.

Note!

You can buy certificate for any domain but the certificate itself is not issued until you verify it. You can buy for example an ASC for "microsoft.com" but you won't be able to verify it because you don't have access to the microsoft.com domain. Only when you verify an App Service Certificate, the SSL certificate is actually Issued.

App Service Verification

If you already have a custom domain on an Azure App Service web app in the current subscription, it will mean that you already have access to the domain (because you must have passed the Custom domain vertification). However, in reality this doesn't work at the moment (as of December 2019). Microsoft support has given no information on why it doesn't work and will just recommend using one of the other options.

If you have a lit up "Verify" button instead of a greyed out one, it means that you qualify for verifying through App Service.

App Service Certificate verification - App Service

App Service Domain Verification

This validation is quite common scenario. If you have an App Service Domain in your subscription which has the same domain as your App Service Certificate, you will pass the vertification because it's evident that you already own the entire domain.

App Service Certificate verification - App Service Domain

Mail Verification

This one is a little more unlikely way of verification. A verification email has been sent to the following email addresses on the domain you are trying to purchase certificate for when your oredered the certificate. If you want to verify with this type of verification, you might just do it through the email sent to one of these email addresses or if you don't have any of them but have the ability to create mailboxes, you could create one of the below mailboxes and "Resend Email" to receive it again after the mailbox exists.

App Service Certificate verification - Mail

Here is how the email looks like:

App Service Mail verification email

Manual Verification

There are two methods of Manual verification - TXT record or Html page method. Manual verification is usually used if you can't do the first 3 due to insufficient access.

The TXT record method

Here are the examples of achieving this. In reality this the easiest and least disruptive way of verifying the certificate. Just create a TXT type record in the DNS zone of the domain with the value given in your own example (which is the domain verification token's value, shown on every page)

The Html page method

If you don't have any access to the DNS of the domain but you have access to the web server (either outside of Azure or App Service/AzureVM hosting a website under that domain) you can create a simple html page called "godaddy.html" and the only thing on this page should be the domain verification token value. However, you need to place this html page in 2 subfolders relative to the wwwroot directory. It should be placed inside a folder called ".well-known" and then inside another folder called "pki-validation".

wwwroot

            .well-known

                              pki-validation

                                                 godaddy.html

App Service Certificate verification - Manual

Azure will be trying for the html page one or twice a day to check if you have the godaddy.html. Here is a visit on my website by Azure trying to find out if i have the godaddy.html page.

App Service verification http request

Auto Renewal

App Service Certificates are isued for 1 year. If Auto Renew is ON, then it will be renewed automatically before it expires (starting at 60 days before expiration, cannot say when exactly). All bindings on App Service Web Apps will be replaced with the new certificate automatically.

You can change this setting by clicking on ‘Auto Renew Settings’ which is ON by default. You can also manually renew a certificate by clicking on Manual Renew irrespective of the current Auto Renew setting if the certificate expiration is within the next 90 days.

App Service Certificate Auto renewal

ReKey and Sync

Some companies will have a security policy of renewing their SSL certificates every 3 or 6 months - less than the 1 year for which the App Service Certificate is issued. One of the benefits of using an ASC is that there is a free Re-key option. If you ReKey the certificate, a brand new one with a different thumbprint will be issued for free and you can do this as many times as you want during the lifetime of the certificate. When the RP receives a ReKey request, it generates a new pair of RSA keys and CSR which it then submits to the CA (GoDaddy). You don’t need to validate domain ownership this time as you have already done it when creating the ASC. ReKey operation usually takes about 5-10 minutes to complete. You don’t need to take any action after clicking on ReKey to get the new certificate. Click Refresh at the top to find out the current status of ReKey request. Once ReKey request is complete, ASC status would move back to ready state.

Now, the linked certificate is out of sync as it doesn’t match with the new thumbprint. Well after you ReKey your certificate, you will need to make new bindings on your Web Apps. Here comes the Sync button. Once you click the Sync button - this will replace all your bindings automatically. What happens if you don’t click on Sync once a ReKey operation is finished? Would the linked certificates stay in out of sync state forever? The answer is no. ASC RP has a periodic job that syncs linked certificates with the corresponding ASC every few hours. So even if you don’t click on Sync, this job would eventually migrate your Apps to the new certificate in a few hours.

App Service Certificate ReKey & Sync

ARM Templates

https://github.com/Azure/azure-quickstart-templates/tree/master/101-app-service-certificate-standard

App Service Environment

You can use and import ASC in ASE Web Apps the same way you do as in multi-tenant App Service. However, ASC cannot be used for an ILB Certificate, because you can't order two SAN (Subject Alternative Names) in ASC.

Moving the App Service Certificate

You can move the App Service Certificate object between resouce groups and subscriptions within the same AD tenant. Here are some considerations:

  • If the certificate is imported into an App Service plan you will need to delete it from there (While in a Web App -> TLS/SSL Settings -> Private Certificates -> Delete
  • Any bindings to the Certficiate will need to be deleted too as it cannot be deleted from the App Service Plan
  • If you move all the Web Apps + App Service Plans + the App Service Certificate imported into the same moving App Service plan - It will go successful without deleting bindings and the actual certificate
  • If you move to a different subscription, you will have to re-import to a new Key Vault. Make sure to do that after the move has completed

Limits

You can have up to 10 App Service Certficiates per subscription for Pay as you Go & Enterprise Agreement and 3 for smaller offerings such as Student/BizTalk/Visual Studio. Not available for Free Subscriptions. CSS - ask supplier.

If you want this limit to be increased, file a support ticket and let the support staff how much the limit to be increased by.

Usage

App Service Certificate can be used anywhere. However, the only direct integration is with App Services. For any other Azure or non-Azure service, the certificate will need to be exported to a pfx.

Export App Service Certificate

Here is how to export the App Service Certificate to PFX. Note that exported certificates are local copies of your ASC, so if you re-key and renew it, these will not be affected.

Portal

The easiest way is to export the certificate from the Portal. Here is how:

Go to your Certificate and choose the Export Certificate blade and click Open Key Vault Secret

Export App Service Certificate

Select Current Version

Export App Service Certificate

At the bottom you will find a button "Download as a certificate". Click it and save the pfx file locally.

Export App Service Certificate

That's it. However, to make the whole process more complete, we need to acknowledge that this pfx copy of the certificate has no password. A lot of Azure and non-Azure services require the .pfx to have a password, otherwise it might not work or or it might not even allow upload without a password. For example, all of the Azure services where you can upload a pfx, you always need to provide a password. If you don't have one - it will fail.

Configure password for .pfx

If we want to have this pfx with a password, the easiest way is to just import it on a Windows machine and export it again but this time with a password. Here is how to do this:

Right-click on the pfx file and choose Install PFX

Install PFX

 

Choose Local Machine and click Next

Install PFX

on the next wizard you don't have to change anything so proceed with Next

On the Private key protection wizard leave the password empty and check the "Mark this key as exportable". Click Next.

Install PFX

On the Certificate Store wizard just leave it as Automatically select the certificate store and click Next.

Finish on the last one.

You should get "Import Successful".

Install PFX

Now we need to export the certificate but this time with a password. We need to browse the machine's certificate store to initialize this.

Open Run (Windows + R) and type mmc

MMC

On the MMC console, go to File -> Add/Remove Snap-in or Ctrl + M. Select Certificates and click Add in the middle.

You will be asked My User/Service or Computer account. Choose Computer and click Next.

mmc

Leave everything default on the next one (Local computer: (the computer this console is running on)) and clicck Finish.

Click OK on the Console Snap-in

mmc

Now expand the Certificates (Local Computer) then expand Personal and choose Certificates

Find the certificate you just imported and right-click it -> All Tasks -> Export...

mmc export

The Export wizard starts. Click Next on the first window.

Then choose Yes, export the private key and click Next

Export PFX

On the Export File Format make sure that everything except "Delete the private key if the export is successful" is checked and that this isn't. Click Next.

Export PFX

Here you can choose a password for the pfx file. Make sure to check the Password checkbox and type your desired password. Leave the Encryption as TripleDES-SHA1.

Click Next

Export PFX

Choose where to save the new .pfx file by clicking Browse

Export PFX

Click Finish and you should get "The export was successful" message.

That's it. You now have an exported copy of the App Service Certificate in a .pfx format and with a password ready to be used anywhere you want.

Export PFX

Azure Portal Powershell

Before we start let's take the certificate's secret name.

 

  • Secret Name (Go to your App Service Certificate -> Export Certificate -> Open Key Vault Secret -> Select Current Version and on top you can copy the Secret Name

Secret name

 

We will be using the same Powershell commands for a normal desktop Powershell but slightly modified.

Open your Powershell session in the Portal. Make sure that you are in the correct subscription. You can test this by:

Get-AzContext

If you are, you can proceed further. If not do Select-AzSubscription -SubscriptionId

type cd so you can enter the current directory

cd

Then replace the below values in yellow with your own. Then Copy the entire summary of the commands below.

$appServiceCertificateName = "HybridCenterSSL"
$resourceGroupName = "App-Service-Domains"
$keyVaultSecretName = "ac47a02f809749579b8698ebcca5d8ba"
$subscriptionId = "xxxxxxxxxxxxxxxxxxxxxxxxxx"
$azureLoginEmailId = "This email address is being protected from spambots. You need JavaScript enabled to view it."
$ascResource = Get-AzResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"
$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName
$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get
$secret = Get-AzKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes("./appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory/appservicecertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"

Paste them into your Azure Powershell session with righ-click and Paste (as plain text if possible)

Azure Powershell paste

You will see all the commands executing one by one. You might have to hit enter for the last one to execute

Note the pfx password and copy it - it's random generated

Azure Powershell pfx

type dir to list the contents of the directory. You should find appservicecertificate.pfx.

Azure Powershell dir

Now download it by clicking the Upload/Download files -> Download

Azure Powershell download

then type appservicecertficiate.pfx in the input field

Azure Powershell download

That's it! Congratulations

Powershell

Here is how to do it with the new AZ module. Supply the values below with your own. You can run these lines one by one in a powershell session or open your Powershell ISE or just download the file below and run it but first change the values

#Let's define some variables - define your own values here
$appServiceCertificateName = "HybridCenterSSL"
$resourceGroupName = "App-Service-Domains"
$keyVaultSecretName = "ac47a02f809749579b8698ebcca5d8ba"
$subscriptionId = "xxxxxxxxxxxxxxxxxxxx"
$azureLoginEmailId = "This email address is being protected from spambots. You need JavaScript enabled to view it."
#This below does not need any alteration
Connect-AzAccount
Set-AzContext -SubscriptionId $subscriptionId
$ascResource = Get-AzResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"
$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName
$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get
$secret = Get-AzKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"

The Entire file - https://github.com/Djongov/AzurePowershell/blob/master/Export-AppServiceCertificate.ps1

That's it! Congratulations

Azure CLI

You have the option to export it through Azure CLI (Bash).

Open a Bash session in the portal and execute the following two commands. Replace the values in yellow with your own

secretname=$(az resource show \
--resource-group ResouceGroupName\
--resource-type "Microsoft.CertificateRegistration/certificateOrders" \
--name AppCertificateName \
--query "properties.certificates.AppCertificateName.keyVaultSecretName" \
--output tsv)

az keyvault secret download \
--file appservicecertificate.pfx \
--vault-name KeyVaultName \
--name $secretname \
--encoding base64

Export PFX using Azure CLI

That's it. Now you need to download it from the Storage Account serving the CLI/Powershell sessions

type dir to see if the appservicecertificate.pfx file is in your current directory. Go to Upload/Download Files and choose Download

Export PFX using Azure CLI

since you are the current directory you just need to add the file name as seen below and click Download

Export PFX using Azure CLI

You have the .pfx file but it has no password. Follow the Configure password for .pfx section of this guide.

That's it! Congratulations

Assigning to App Service

You can benefit from the very intuitive integration between App Service Certificate and App Service Web Apps. Here is how to assign ASC to App Service:

  1. Go to one of your Web Apps and navigate to the TLS/SSL settings. Then select the Private Key Certificates (.pfx) tabAssign App Service Certificate
  2. Click on Import App Service Certificate. You will see a lit of ASC that you can import. Select your desired ASC and click OK. This will import a copy of the certificate from Key Vault directly into the App Service Plan's VM Personal Certificate store. This means that the certificate will be visible to all Web Apps in that App Service plan.
  3. It is now ready be used for SSL bindings. Go to your Bindings tab and start making your bindings. You need to have corresponding custom domain entries that match the ones of the certificate

That's it!

Assigning to Azure VM (Windows)

Although the Azure Portal says that you can integrate ASC with an Azure VM, there isn't a real "integration" currently available, such as the one with App Service. If you want to use the App Service Certificate on a VM, export it to a PFX using one of the methods mentioned earlier. Copy/Paste the pfx file on the Azure VM and follow the usual method of installing the certificate to the VM's certificate store. In Windows this is just by double clicking on the pfx and installing it.

Refund

If you think that you need to refunded for the App Service Certificate, you may open a support ticket and give it a try. If the support agrees to refund you, they will ask you to delete the certficiate and provide them with evidence. The Azure Billing support are quite fair so if you give them a good reason and justificatoin for refunding and not needing the certificate anymore there is a good chance that they will refund you.

Important!

If you have purchased the certificate BUT have NOT verified it - you are not being charged any money, so just delete it.

Troubleshooting (FAQ)

My Certificate is marked as Fraud. Why?

If the certificate is marked as Fraud and has not been resolved after 24 hours , then follow the steps below :

  • Go to App Service certificate in Azure portal
  • Click on Certificate Configuration -> Step 2 : Verify -> Domain Verification
  • Click on Email Instructions which will send an email to GoDaddy to resolve the issue

My App Service Certificate is still showing old secret value. How can I force a sync with the new secret in my Key Vault’ ?

Web App service runs a background job that periodically (every 8 hours) that syncs all App Service certificate. Hence when you rotate or update a certificate, sometimes the application is still retrieving the old certificate and not the newly updated certificate. This is because the job has not run to sync the certificate resource. To force a sync of the certificate , you can click on Rekey and Sync setting and then click on Sync button.

I cannot purchase an App Service Certificate. Why?

If you receive Internal Server Error when you try - there is a good chance that there might be temporary issues on Azure side.

Another reason for failed purchases is the presence of a CAA DNS record in the domain's DNS zone. The CAA record is used for security reasons and controls and allows issuing of SSL certificates from only certain CAs. Check if your domain has a CAA record and make sure to include DigiCert as a valid CA.

References

https://azure.github.io/AppService/appservicecertificate/2019/03/19/DevTalk-App-Service-Certificate-sync-improvements-and-design.html

https://azure.microsoft.com/en-us/blog/internals-of-app-service-certificate/

https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html

https://azure.github.io/AppService/2017/07/24/FAQ-SSL-certificates-for-Web-Apps-and-App-Service-Certificates.html