Azure App Service Team Blog

How the App Service team functions

Installing public certificates in App Service


Today, we are announcing the support for installing public certificates in personal certificate stores. We are currently building a user-friendly experience to expose this functionality via Azure portal. In the meantime, you can use ARMClient/Azure Resource Explorer/Azure PowerShell/Azure CLI for calling the corresponding backend APIs to use this feature right away. For this blogpost, I will be using ARMClient to demo these APIs.


To support public certificates, we have created a new ARM resource type called ‘sites/publicCertificates’ under ‘Microsoft.Web’ resource provider. Each instance of this resource represents a certificate installed in your App Service. To install a public certificate, you can call the following PUT API on an existing App Service:

ARMClient PUT  “{‘Properties’:{‘Blob’:’MIIC/zCCAeugAwIBAgIQjngbV7+4eppN1YUvFh8guDAJBgUrDgMCHQUAMBgxFjAUBgNVBAMTDXRlc3RjZXJ0MS5jb20wHhcNMTcwNDAzMjIyMTI1WhcNMzkxMjMxMjM1OTU5WjAYMRYwFAYDVQQDEw10ZXN0Y2VydDEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiq+O7aP68Q5uCr0u0fRlOCXpIYw498Yk2sxdR3ElgF+nD8pmgdrAbGaGlBcxO0i/YrITgD5n73BBL17QPFNx7Y8mHl3U7vOAYkYHVZQlJVc8XPmjmgL6ZGSquPkJhev9vg1U26mJHdjoOprN2dSZIKw7VB+DbBgHipjFsaxe99GocQeQxNoa93wu7uWRgI0foKgYgDBEWbyMSgT6ZXQUwoQVNTDSPmQ8PlNrAOJz3cLM6jp0e0ZKDPJEqRXm3UX6F7DcOR0G7OvUil56Ze9ANNcF2bTwTpdCLPx2OImnKCeb5Vyxg9Ymtu3aAm9U5qX8pXAZu+oU5NAiJx1TvlJkPQIDAQABo00wSzBJBgNVHQEEQjBAgBCqtQL/bkUvJkvip2NwKuuPoRowGDEWMBQGA1UEAxMNdGVzdGNlcnQxLmNvbYIQjngbV7+4eppN1YUvFh8guDAJBgUrDgMCHQUAA4IBAQA9y0GjiioOMjKFLJAqFoePeW2/MH+8QAJYvsmchZ5J8gq4TrpKbw2xrIuHmRmHv+hNAGGMGNoPg9JHHk8YuHCvaNM/10HGu0xHzgG7sEui/3MA7jAbMHQOaE54G4HiBVVFabo6li7WjSsx+RjlxNPtb+GMcBoDBAXcbzBmj/1BPNyrlwdBZHpwwnZBJpH+xHWXwIyyqBBAtQiXv7SSV79bwxPRhvCH6rhF8e0qXNGFHIDTiuDol8+eBBiGOEDwB79zDWLlvbXxKxxtQq2KqKhiLntLs1f9tohF6ad7HN5nK1RLPmqC/hoYA+/Fx5jpoX/pQo3Vlf3KMsr1280JSqq8′,’publicCertificateLocation’:’CurrentUserMy’}}”

/subscriptions/…/sites/publiccertificatedemo: Resource Id of the App Service that would be using the public certificate. This App Service needs to be in a dedicated App Service Plan.
publicCertificates/currentuser1: User friendly name of the ‘sites/publicCertificates’ resource that represents this public certificate.
blob: Base 64 encoded .cer file that contains a public certificate.
publicCertificateLocation: Location in Windows certificate store where this certificates would be installed. We only support ‘CurrentUserMy’ for public scale units. If your site is inside an App Service Environment, then you can also use ‘LocalMachineMy’.

I have written a simply page that lists all certificates in CurrentUser-Personal certificate store.

protected void Page_Load(object sender, EventArgs e)
    var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
    foreach (var certificate in store.Certificates)
        Response.Write(string.Format(“Subject:{0} Thumbprint:{1} SerialNumber:{2} HasPrivateKey:{3} <br />”, certificate.Subject, certificate.Thumbprint, certificate.SerialNumber, certificate.HasPrivateKey));

Here is a screenshot of this App Service after executing the ARM client command shared above.

Similarly, we can execute the following ARMClient command to install another public certificate in CurrentUser-Personal certificate store:

ARMClient PUT  “{‘Properties’:{‘Blob’:’MI…nc’,’publicCertificateLocation’:’CurrentUserMy’}}”

Since ‘sites/publicCertificates’ is an ARM resource, you can call other standard ARM APIs to perform CRUD operations.

List all public certificates inside an App Service:

Remove a specific public certificate:

ARM Template

You can use the following ARM template for installing a public certificate inside an existing App Service.

Getting in touch

Please give this feature a try and let us know your thoughts. If you run into any issues or have any comments then please let us know on the App Service forum.