Root and intermediate certificates installation in Azure Web App?

9
votes

I have an Azure Web App that communicates with a third party API, which uses OAuth 1.0a or similar and as part of that requires an SSL certificate. The provided SSL certificate I need to use comes with its own certificate chain (root, intermediate and SSL certificate).

I have exported the certificate chain to a .pfx file and uploaded it into the SSL certificates section in the Azure Preview Portal and am using WEBSITE_LOAD_CERTIFICATES * in the App settings.

The problem is that the root and interim certificates do not get imported. Is this expected behavior and how do I fix it? Or is this something not supported by Azure Web Apps?

Edit:

The way I export the certificate chain is using PowerShell:

Export-PfxCertificate -Force 
                      -ChainOption BuildChain
                      –Cert cert:\localmachine\my\#mythumbprint# 
                      –FilePath c:\temp\myexport.pfx 
                      -Password $(ConvertTo-SecureString -String "password" -Force –AsPlainText)
1
powershellazuressl-certificateazure-web-app-servicepfx
Should you not be using -ChainOption BuildChain? From the documentation: EndEntityCertOnly: Only end entity certificates are exported without any chain.theadriangreen
@theadriangreen Copy pasted the wrong thing. I am indeed using BuildChainIvan Zlatev
did you try with mmc->certificates?Bruno Faria
mmc and powershell produce the same pfx output.Ivan Zlatev

1 Answers

2
votes

This is not expected behavior. According to this blog post intermediate and chain certificates should be automatically imported and configured, assuming that your cert was uploaded after a certain date: http://azure.microsoft.com/blog/2015/06/01/intermediate-tls-certificates-for-azure-app-service-web-apps/

(If it's still not working, it may be indicative of an underlying platform problem, in which case the best approach is to post on the official Azure App Service MSDN forum.)