Azure App Service Team Blog

How the App Service team functions

Configure App Service Certificate to Azure Virtual machine with Windows or Linux OS

App Service Certificate can be used for other Azure service and not just App Service Web App. This tutorial shows you how to secure your web app by purchasing an SSL certificate using App Service Certificates ,  securely storing it in Azure Key Vault  , domain verification and configuring it your virtual machine . Before your begin log in to the Azure portal at https://portal.azure.com

Step 1 : Create an Azure Virtual machine with IIS web server

Create an Azure virtual machine with IIS from Azure marketplace or with Azure CLI  .

Step 2 : Add a Custom domain to your virtual machine

Purchase a new domain and assign it your Azure virtual machine. For more details , click here .

Step 3 : Place an SSL Certificate order

You can place an SSL Certificate order by creating a new App Service Certificate In the Azure portal. Enter a friendly Name for your SSL certificate and enter the Domain Name in Step 1 . DO NOT append the Host name with WWW.

Certificate Creation

Step 4 – Store the certificate in Azure Key Vault

Key Vault is an Azure service that helps safeguard cryptographic keys and secrets used by cloud applications and services. Once the SSL Certificate purchase is complete, you need to open the App Service Certificates page.  The current status of the certificate  is “Pending Issuance” . Complete the steps below to have an active certificate ready to use. 

Click Certificate Configuration inside the Certificate Properties page and Click on Step 1: Store to store this certificate in Azure Key Vault.

insert image of ready to store in KV

From the Key Vault Status page, click Key Vault Repository to choose an existing Key Vault to store this certificate OR Create New Key Vault to create new Key Vault inside same subscription and resource group.

Note :  Azure Key Vault has minimal charges for storing this certificate. For more information, see Azure Key Vault Pricing Details.

Once you have selected the Key Vault Repository to store this certificate in, the Store option should show success.

insert image of store success in KV

 

Step 5 : Prepare the Virtual machine for adding the certificate

Get the Key Vault information for your SSL certificate resource under certificate configuration

Windows OS :

To add the certificate from Key Vault to a VM using Azure CLI ,  obtain the ID of your certificate with Get-AzureKeyVaultSecret.  Then Add the certificate to the VM with Add-AzureRmVMSecret. Replace $keyvaultName with the name of your Key Vault used for the Azure certificate . $certURL is the URL that points to a Key Vault secret which contains a certificate.

$certURL=(Get-AzureKeyVaultSecret -VaultName $keyvaultName -Name "mycert").id
$vm=Get-AzureRMVM -ResourceGroupName $resourceGroup -Name "myVM"
$vaultId=(Get-AzureRmKeyVault -ResourceGroupName $resourceGroup -VaultName $keyVaultName).ResourceId
$vm = Add-AzureRmVMSecret -VM $vm -SourceVaultId $vaultId -CertificateStore "My" -CertificateUrl $certURL 
Update-AzureRmVM -ResourceGroupName $resourceGroup -VM $vm

Configure  IIS web server to use the certificate : Use the Custom Script Extension again with Set-AzureRmVMExtension to update the IIS configuration. This update applies the certificate injected from Key Vault to IIS and configures the web binding:

$PublicSettings = '{
 "fileUris":["https://raw.githubusercontent.com/iainfoulds/azure-samples/master/secure-iis.ps1"],
 "commandToExecute":"powershell -ExecutionPolicy Unrestricted -File secure-iis.ps1"
}'

Set-AzureRmVMExtension -ResourceGroupName $resourceGroup `
 -ExtensionName "IIS" `
 -VMName "myVM" `
 -Location $location `
 -Publisher "Microsoft.Compute" `
 -ExtensionType "CustomScriptExtension" `
 -TypeHandlerVersion 1.8 `
 -SettingString $publicSettings

Linux OS : 

To use the certificate during the VM create process, obtain the ID of your certificate with az keyvault secret list-versions. Convert the certificate with az vm format-secret

secret=$(az keyvault secret list-versions \
 --vault-name $keyvault_name \
 --name mycert \
 --query "[?attributes.enabled].id" --output tsv)
vm_secret=$(az vm format-secret --secret "$secret")

Cloud-init is a widely used approach to customize a Linux VM as it boots for the first time. You can use cloud-init to install packages and write files, or to configure users and security. As cloud-init runs during the initial boot process, there are no additional steps or required agents to apply your configuration.

When you create a VM, certificates and keys are stored in the protected /var/lib/waagent/ directory. To automate adding the certificate to the VM and configuring the web server, use cloud-init. In this example, we install and configure the NGINX web server. You can use the same process to install and configure Apache.

Create a file named cloud-init-web-server.txt and paste the following configuration:

#cloud-config
package_upgrade: true
packages:
 - nginx
write_files:
 - owner: www-data:www-data
 - path: /etc/nginx/sites-available/default
 content: |
 server {
 listen 443 ssl;
 ssl_certificate /etc/nginx/ssl/mycert.cert;
 ssl_certificate_key /etc/nginx/ssl/mycert.prv;
 }
runcmd:
 - secretsname=$(find /var/lib/waagent/ -name "*.prv" | cut -c -57)
 - mkdir /etc/nginx/ssl
 - cp $secretsname.crt /etc/nginx/ssl/mycert.cert
 - cp $secretsname.prv /etc/nginx/ssl/mycert.prv
 - service nginx restart

The certificate data is injected from Key Vault with the --secrets parameter. You pass in the cloud-init config with the --custom-data parameter:

az vm create \
 --resource-group myResourceGroupSecureWeb \
 --name myVM \
 --image UbuntuLTS \
 --admin-username azureuser \
 --generate-ssh-keys \
 --custom-data cloud-init-web-server.txt \
 --secrets "$vm_secret"

It takes a few minutes for the VM to be created, the packages to install, and the app to start. To allow secure web traffic to reach your VM, open port 443 from the Internet with az vm open-port:

az vm open-port \
 --resource-group myResourceGroupSecureWeb \
 --name myVM \
 --port 443

Step 7 : Browse your secure app

Now you have successfully configured SSL to your Azure Virtual machine with IIS web server with a Custom domain . Browse your web app with HTTPS using the virtual machine custom domain.

References

Internals of App Service Certificates

Get started with Azure Key Vault