Azure App Service Team Blog

How the App Service team functions

Configure App Service Certificate to Azure Virtual machines

App Service Certificate can be used for other Azure service and not just App Service Web App. This tutorial shows you how to secure your web app by purchasing an SSL certificate using App Service Certificates ,  securely storing it in Azure Key Vault  , domain verification and configuring it your virtual machine . Before your begin log in to the Azure portal at https://portal.azure.com

Step 1 : Create an Azure Virtual machine with IIS web server

Create an Azure virtual machine with IIS from Azure marketplace or with Azure CLI  .

Step 2 : Add a Custom domain to your virtual machine

Purchase a new domain and assign it your Azure virtual machine. For more details , click here .

Step 3 : Place an SSL Certificate order

You can place an SSL Certificate order by creating a new App Service Certificate In the Azure portal. Enter a friendly Name for your SSL certificate and enter the Domain Name in Step 1 . DO NOT append the Host name with WWW.

Certificate Creation

Step 4 – Store the certificate in Azure Key Vault

Key Vault is an Azure service that helps safeguard cryptographic keys and secrets used by cloud applications and services. Once the SSL Certificate purchase is complete, you need to open the App Service Certificates page.  The current status of the certificate  is “Pending Issuance” . Complete the steps below to have an active certificate ready to use. 

Click Certificate Configuration inside the Certificate Properties page and Click on Step 1: Store to store this certificate in Azure Key Vault.

insert image of ready to store in KV

From the Key Vault Status page, click Key Vault Repository to choose an existing Key Vault to store this certificate OR Create New Key Vault to create new Key Vault inside same subscription and resource group.

Note :  Azure Key Vault has minimal charges for storing this certificate. For more information, see Azure Key Vault Pricing Details.

Once you have selected the Key Vault Repository to store this certificate in, the Store option should show success.

insert image of store success in KV

 

Step 5 : Verify the domain ownership

From the same Certificate Configuration page you used in Step 3, click Step 2: VerifyChoose the preferred domain verification method.

There are four types of domain verification supported by App Service Certificates: App Service, Domain, Mail, and Manual Verification. These verification types are explained in more details in the Advanced section.

Step 6 : Assign certificate to Virtual machine

Before performing the steps in this section dedicated for Virtual machine , you must have :

  1. associated a custom domain name with your app on the virtual machine. For more information, see Configuring a custom domain name for a web app.
  2. Make sure Key Vault has appropriate permissions to be used with Virtual machine . For more information , see Using MSI with Key Vault on Virtual machine

Here are the instructions to assign the certificate to the virtual machine

An issued App Service certificate may be used on any App Service Web App. Follow the steps below to assign the certificate to an App Service App.
    1. Get the Key Vault information for your SSL certificate resource under certificate configuration.
    2. Prepare and Configure the virtual machine to add the Certificate.
    An App Service Certificate can be used on multiple Azure Virtual Machines.Learn more

    References

    Internals of App Service Certificates

    Get started with Azure Key Vault