Yesterday, Microsoft announced one of the most requested features of Azure App Services at Ignite: Free Transport Layer Security (TLS) for Azure App Service.
The free App Service Managed Certificate is a fully functional SSL certificate that is managed by Azure and gets automatically renewed. Since this is a free offering, it also comes with some limitations:
- Does not support wildcard certificates.
- Does not support apex domains (only sub-domains)
- Does not support the export of the certificate
Also, I was not able to create the SSL Certificate on an App Service Plan hosted in North Europe. Right now I had to choose Central US.
Create a free certificate using the Azure Portal
Before you can create the free certificate, you have to add a custom domain. Right now, you have to either use an A– or CNAME record (credits to Joonas W).
For my example, I added the domain ssl.mbrandl.com using a CNAME to mbrandl.azurewebsites.net. This is how the record looks like on GoDaddy (my domain registrar):
And this is how it looks like in the Azure Portal after I assigned the custom domain. As you can see, the SSL state is “Not Secure“:
Now let’s add the free certificate by selecting TLS/SSL settings (1) from the left navigation of our app. On the next screen, click on the Private Key Certificates (.pfx) (2) tab and then on the Create App Service Managed Certificate (3) button:
Now we can select our custom domain from the dropdown (1) and click on the Create button (2) to create a free certificate:
When the operation completes, we will see the certificate in the Private Key Certificates list:
Add the SSL binding
We have now created a free certificate for our Web App but we still need to add an SSL binding to our custom domain. We can do this on the Custom domains (1) page by clicking on the Add binding (2) link next to our custom domain:
On the next page, we have to select our Custom domain (1) and the Private Certificate Thumbprint from the dropdowns, choose a TLS/SSL Type (3) and click on the Add Binding button (4):
That’s it, our site is now secured using TLS by a free App Service Managed Certificate. You can see the certificate live in action here. This is how it looks like:
For additional reference, see the documentation.
