How to add a certificate to an Azure RM website with Powershell

2
votes

Lightly related to How to add an SSL certificate to an azure website using powershell?

I am trying to add a certificate to an Azure RM website via Powershell.

I don't think there is a direct Azure Powershell command, and it will need to be done via New-AzureRmResource

3
azureazure-web-app-serviceazure-powershellazure-resource-manager
I have posted the solution here.Raja Chava

3 Answers

4
votes

In the latest release of Azure PowerShell v 1.1.0, there is a number of new commands to handle SSL certificates in Azure Web Apps

You can upload the certificate and bind it to hostname using

New-AzureRmWebAppSSLBinding -ResourceGroupName myresourcegroup -WebAppName mytestapp -CertificateFilePath PathToPfxFile -CertificatePassword PlainTextPwd -Name www.contoso.com

And then remove the binding but without removing the certificate, the app should be able to use it after you add a app setting referencing that cert (this should be done using the portal - the PowerShell command to do so will come soon - No ETA for now)

Remove-AzureRmWebAppSSLBinding -ResourceGroupName myresourcegroup -WebAppName mytestapp -Name www.contoso.com -DeleteCertificate $false
4
votes

Looking through the ARM Template the "Microsoft.Web/certificates" template takes a pfxblob and a password.

It seems the easiest way of obtaining a pfxblob is via New-AzureRmApplicationGatewaySslCertificate (thanks to @vigneshaj for the pointer) reading the source, it seems that this is simply a local conversation cmdlet. So it doesn't matter that it is for an application gateway, all we need is the data it passes back. 

$pfx = New-AzureRmApplicationGatewaySslCertificate -Name example `
        -CertificateFile E:\PS\example.pfx `
        -Password "bananas"

Once we have that data, we can simply plug it into New-AzureRmResource and it will create our certificate on Azure.

The small problem with this, is that if you're a cheapskate (like me) and you've obtained a free cert from that Chinese CA that gives sha256 certs, this process will strip off the certificate that signs pages with sha256, and so it falls back to TLS 1.2, which gives errors (on Chrome at least) 

$ResourceLocation = "West Europe"
$ResourceName = "Newcertificate"
$PropertiesObject = @{
pfxBlob = $pfx.Data
password = $pfx.Password 
}

New-AzureRmResource -Name $ResourceName -Location $ResourceLocation `
                    -PropertyObject $PropertiesObject `
                    -ResourceGroupName examplecomRG `
                    -ResourceType Microsoft.Web/certificates `
                    -ApiVersion 2015-08-01 -Force

The next job from there is configuring your Web App to use that cert. Because these properties are child objects of the hostNameSslStates array I created an inner hash table, and then attached that. I'm sure there's a more elegant way, but this worked! 

$ResourceName = "ConfuseioWebapp"
$InnerPropertiesObject = @{
        name = "www.example.com"
        sslState = 1
        thumbprint = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
      }
$PropertiesObject = @{
    "hostNameSslStates" = [Object[]]$InnerPropertiesObject 
}

New-AzureRmResource -Name $ResourceName `
                    -Location $ResourceLocation `
                    -PropertyObject $PropertiesObject `
                    -ResourceGroupName examplecomRG `
                    -ResourceType Microsoft.Web/sites `
                    -ApiVersion 2015-08-01 -Force

And that is pretty much it.

1
votes

I came across the below article, which configures SSL through powershell, by creating Azure Application Gateway

https://azure.microsoft.com/en-us/documentation/articles/application-gateway-ssl/