Where to centralise SSL certificates in Azure?

1
votes

We have our own certificate (.pfx) issued by an authority before using Azure. We are now using Azure and would like to be able to use this certificate for all our app services.

I know we can upload them in the "SSL settings" section of the app service. But the problem is that we have to upload it in every single app service that we have. If we renew our certificates we need to go through all the apps and upload the new certificate again one by one.

What I am looking for is a place (like "App Service Certificates") where we can upload our certificate once and let the apps use it. It's ideal for us not to change apps if we renew our certificate and upload it again in that centralised place, wherever it is.

In the "App Service Certificates" blade, I see that we can only order a certificate and can't upload our own certificate. Is it even possible to do it there or should I be looking at some custom solutions?

BTW, we are using ARM templates to deploy our infrastructure and app services, any hints in ARM templates regarding SSL would be appreciated.

1
azuressl
You could look at making use of Azure Key Vault for storing the certificate and refer to it from ARM Templates. Try these links for step by step guidance.. blogs.msdn.microsoft.com/appserviceteam/2016/05/24/… and docs.microsoft.com/en-us/azure/app-service/… - Rohit Saigal
@rohit-saigal If we renew our certificate, then we still need to go to the apps and re-deploy them to get the latest version from the key vault, am I right? BTW, the first link is broken. - hosjay
Key vault may be able to solve the centralize concern for you.. I'm not exactly sure if there is some way to tackle renewal scenario as well.. but AFAIK what you mention is correct, in case of renewal you will need to apply the certificates to app services again.. BTW, both links from my previous comment work for me - Rohit Saigal

1 Answers

0
votes

You can use keyvault and pull certificates from it using arm templates (they have to be in the same subscription though). you can use this snippet:

{
  "type": "Microsoft.Web/certificates",
  "name": "[parameters('certificateName')]",
  "apiVersion": "2016-03-01",
  "location": "[parameters('location')]",
  "properties": {
    "keyVaultId": "[parameters('existingKeyVaultId')]",
    "keyVaultSecretName": "[parameters('existingKeyVaultSecretName')]"
  }
},

https://github.com/Azure/azure-quickstart-templates/blob/master/webapp-keyvault-ssl/azuredeploy.json