Azure web app website - to a custom domain - does it need SSL certificate upload every few months?

0
votes

I own a domain on hostgator - example.com

I have created a web app on Azure - example.azurewebsites.net

I have gone through this tutorial:

https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain

And so now when I go to example.com - it loads the code from example.azurewebsites.net - awesome.

I then had to upload SSL certificates (manually taken from hostgator, saved to a text file - then converted to .pfx.)

This works fine. However, given that these certificates are updated by hostgator, and that they expire roughly every few months, am I meant to manually go through this process on Azure Add Custom Domains to upload certificates every few months?

It would be helpful if there was an automated way to do this.

1
azuresslazure-web-app-serviceazure-custom-domain
github.com/shibayan/appservice-acmebot - CSharpRocks
You could issue a new cert via Azure Key Vault through one of the supported commercial CAs and have auto-renewal so you never worry about this again. - evilSnobu
@evilSnobu this would cost though right? The certs from HG are free - JDT
Yes. See this for pricing - azure.microsoft.com/en-us/pricing/details/app-service/windows. You could use a scheduled Azure Function to check for cert expiration, call the HG REST API, get the new cert then update the App Service cert. Is this effort worth less than $60 a year? If so, go for it, else just buy a cert from Azure which supports proper renewal. - evilSnobu

1 Answers

0
votes

In Azure Key Vault, you can update a certificate's lifecycle attributes both before and after the time of certificate creation.

The following CAs are currently partnered providers with Key Vault:

DigiCert: Key Vault offers OV TLS/SSL certificates.
GlobalSign: Key Vault offers OV TLS/SSL certificates.

Key Vault auto-rotates certificates through established partnerships with CAs. Because Key Vault automatically requests and renews certificates through the partnership, auto-rotation capability is not applicable for certificates created with CAs that are not partnered with Key Vault.

For more details, you could refer to this article.