Azure App Service Team Blog

How the App Service team functions

Installing public certificates in App Service

Introduction

Today, we are announcing the support for installing public certificates in personal certificate stores. We are currently building a user-friendly experience to expose this functionality via Azure portal. In the meantime, you can use ARMClient/Azure Resource Explorer/Azure PowerShell/Azure CLI for calling the corresponding backend APIs to use this feature right away. For this blogpost, I will be using ARMClient to demo these APIs.

Details

To support public certificates, we have created a new ARM resource type called ‘sites/publicCertificates’ under ‘Microsoft.Web’ resource provider. Each instance of this resource represents a certificate installed in your App Service. To install a public certificate, you can call the following PUT API on an existing App Service:

ARMClient PUT https://management.azure.com/subscriptions/fb2c25dc-6bab-45c4-8cc9-cece7c42a95a/resourcegroups/publiccertificaterg/providers/Microsoft.Web/sites/publiccertificatedemo/publicCertificates/currentuser1?api-version=2016-02-01  “{‘Properties’:{‘Blob’:’MIIC/zCCAeugAwIBAgIQjngbV7+4eppN1YUvFh8guDAJBgUrDgMCHQUAMBgxFjAUBgNVBAMTDXRlc3RjZXJ0MS5jb20wHhcNMTcwNDAzMjIyMTI1WhcNMzkxMjMxMjM1OTU5WjAYMRYwFAYDVQQDEw10ZXN0Y2VydDEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiq+O7aP68Q5uCr0u0fRlOCXpIYw498Yk2sxdR3ElgF+nD8pmgdrAbGaGlBcxO0i/YrITgD5n73BBL17QPFNx7Y8mHl3U7vOAYkYHVZQlJVc8XPmjmgL6ZGSquPkJhev9vg1U26mJHdjoOprN2dSZIKw7VB+DbBgHipjFsaxe99GocQeQxNoa93wu7uWRgI0foKgYgDBEWbyMSgT6ZXQUwoQVNTDSPmQ8PlNrAOJz3cLM6jp0e0ZKDPJEqRXm3UX6F7DcOR0G7OvUil56Ze9ANNcF2bTwTpdCLPx2OImnKCeb5Vyxg9Ymtu3aAm9U5qX8pXAZu+oU5NAiJx1TvlJkPQIDAQABo00wSzBJBgNVHQEEQjBAgBCqtQL/bkUvJkvip2NwKuuPoRowGDEWMBQGA1UEAxMNdGVzdGNlcnQxLmNvbYIQjngbV7+4eppN1YUvFh8guDAJBgUrDgMCHQUAA4IBAQA9y0GjiioOMjKFLJAqFoePeW2/MH+8QAJYvsmchZ5J8gq4TrpKbw2xrIuHmRmHv+hNAGGMGNoPg9JHHk8YuHCvaNM/10HGu0xHzgG7sEui/3MA7jAbMHQOaE54G4HiBVVFabo6li7WjSsx+RjlxNPtb+GMcBoDBAXcbzBmj/1BPNyrlwdBZHpwwnZBJpH+xHWXwIyyqBBAtQiXv7SSV79bwxPRhvCH6rhF8e0qXNGFHIDTiuDol8+eBBiGOEDwB79zDWLlvbXxKxxtQq2KqKhiLntLs1f9tohF6ad7HN5nK1RLPmqC/hoYA+/Fx5jpoX/pQo3Vlf3KMsr1280JSqq8′,’publicCertificateLocation’:’CurrentUserMy’}}”

Parameters:
/subscriptions/…/sites/publiccertificatedemo: Resource Id of the App Service that would be using the public certificate. This App Service needs to be in a dedicated App Service Plan.
publicCertificates/currentuser1: User friendly name of the ‘sites/publicCertificates’ resource that represents this public certificate.
blob: Base 64 encoded .cer file that contains a public certificate.
publicCertificateLocation: Location in Windows certificate store where this certificates would be installed. We only support ‘CurrentUserMy’ for public scale units. If your site is inside an App Service Environment, then you can also use ‘LocalMachineMy’.

I have written a simply asp.net page that lists all certificates in CurrentUser-Personal certificate store.

protected void Page_Load(object sender, EventArgs e)
{
    var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
    store.Open(OpenFlags.ReadOnly);
    foreach (var certificate in store.Certificates)
    {
        Response.Write(string.Format(“Subject:{0} Thumbprint:{1} SerialNumber:{2} HasPrivateKey:{3} <br />”, certificate.Subject, certificate.Thumbprint, certificate.SerialNumber, certificate.HasPrivateKey));
    }
    store.Close();
}

Here is a screenshot of this App Service after executing the ARM client command shared above.

Similarly, we can execute the following ARMClient command to install another public certificate in CurrentUser-Personal certificate store:

ARMClient PUT https://management.azure.com/subscriptions/fb2c25dc-6bab-45c4-8cc9-cece7c42a95a/resourcegroups/publiccertificaterg/providers/Microsoft.Web/sites/publiccertificatedemo/publicCertificates/currentuser2?api-version=2016-02-01  “{‘Properties’:{‘Blob’:’MI…nc’,’publicCertificateLocation’:’CurrentUserMy’}}”

Since ‘sites/publicCertificates’ is an ARM resource, you can call other standard ARM APIs to perform CRUD operations.

List all public certificates inside an App Service:
ARMClient GET https://management.azure.com/subscriptions/fb2c25dc-6bab-45c4-8cc9-cece7c42a95a/resourcegroups/publiccertificaterg/providers/Microsoft.Web/sites/publiccertificatedemo/publicCertificates?api-version=2016-02-01

Remove a specific public certificate:
ARMClient DELETE https://management.azure.com/subscriptions/fb2c25dc-6bab-45c4-8cc9-cece7c42a95a/resourcegroups/publiccertificaterg/providers/Microsoft.Web/sites/publiccertificatedemo/publicCertificates/currentuser2?api-version=2016-02-01

ARM Template

You can use the following ARM template for installing a public certificate inside an existing App Service.

https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-public-certificate

Getting in touch

Please give this feature a try and let us know your thoughts. If you run into any issues or have any comments then please let us know on the App Service forum.