Secure your Azure App Service using free SSL / TLS Certificates

Yesterday, Microsoft announced one of the most requested features of Azure App Services at Ignite: Free Transport Layer Security (TLS) for Azure App Service.

The free App Service Managed Certificate is a fully functional SSL certificate that is managed by Azure and gets automatically renewed. Since this is a free offering, it also comes with some limitations:

  • Does not support wildcard certificates.
  • Does not support apex domains (only sub-domains)
  • Does not support the export of the certificate

Also, I was not able to create the SSL Certificate on an App Service Plan hosted in North Europe. Right now I had to choose Central US.

Create a free certificate using the Azure Portal

Before you can create the free certificate, you have to add a custom domain. Right now, you have to either use an A– or CNAME record (credits to Joonas W).

For my example, I added the domain ssl.mbrandl.com using a CNAME to mbrandl.azurewebsites.net. This is how the record looks like on GoDaddy (my domain registrar):
godaddy.PNG

And this is how it looks like in the Azure Portal after I assigned the custom domain. As you can see, the SSL state is “Not Secure“:

sslnotsecure.png

Now let’s add the free certificate by selecting TLS/SSL settings (1) from the left navigation of our app. On the next screen, click on the Private Key Certificates (.pfx)  (2) tab and then on the Create App Service Managed Certificate (3) button:

123.png

Now we can select our custom domain from the dropdown (1) and click on the Create button (2) to create a free certificate:
12.png

When the operation completes, we will see the certificate in the Private Key Certificates list:

healthy.png

Add the SSL binding

We have now created a free certificate for our Web App but we still need to add an SSL binding to our custom domain. We can do this on the Custom domains (1) page by clicking on the Add binding (2) link next to our custom domain:

addbinding.png

On the next page, we have to select our Custom domain (1) and the Private Certificate Thumbprint from the dropdowns, choose a TLS/SSL Type (3) and click on the Add Binding button (4):

tLSbinding.png

That’s it, our site is now secured using TLS by a free App Service Managed Certificate. You can see the certificate live in action here. This is how it looks like:

ssl1ssl2

For additional reference, see the documentation.