Azure Application Certificates

The Scenario

You have a PaaS Web application in Azure, Platform as a Service, and you want to add a certificate to secure data in transit, fair enough, it was possible before, difference now is, it can be done directly in the Azure Web Console

What they say it does:

  • Secure one Web App (root domain and WWW)2 names, the www, and the name
  • Secure one Web App and all its sub-domains (Wildcard SSL). Equal to *
  • 1 Year validity with auto renewal. 1 Year by default and not modifiable, compared to Lets Encrypt which has to be renewed every 3 months
  • A Domain Validated Certificates (DV). The easiest domain validation process I’ve ever come across, 1 click for validation and 2 records for configuration. Ready in 1/2 hour or less
  • By default, Certificates secrets are stored in Azure Key Vault. This is very handy, instead of storing the certificate with the vendor, right into the Azure Key Vault.
  • SHA-2 and 2048-bit encryption
  • 2^2048 equals = 3.231700607131100730071487668866995196044410266971548403213034542752465513886789×10 ^ 616

Good Luck breaking such a number this millennium.


  • An Azure Subscription (of course)
  • A Web app to install the Certificate
  • A Key Vault which can be created at the same time

The How-To

It’s fairly easy to get it as the pictures below show:

Create the Vault first

Create the App Certificate next

Set the name of the site to use the Certificate on, do not add WWW

Configure the Vault if you haven’t, Verify the domain and assign to the Webapp

Ownership verification request for this is received in your mailbox

You’d need to click on the link. And it will look like this:

The Certificate authority is GoDaddy, some people may not like this.

Once the previous steps are done, next is to assign to the Webapp

There’s an additional verification when adding it to the WebApp, I used two A records verification with my Name Register

Once the binding it’s done, it will look like below

This is the already issued certificate, with domain name and www mapped

Once all of the above is done, the certificate is added to the Web Application and good to go

The issued certificate installed on the Web App, running WordPress

What’s Next?

I read in multiple forums that, this certificate could not be used outside of Azure and decided to test those things, I read that the PFX can be exported and found and modified a script to get it. Which I did. I have the .PFX, the .PB7 and the .CER

What I will do next is to install the certificate in a VM and other webapp in a different tenant and see if it works, I do not see why I wouldn’t.

Live Site – Don’t guarantee it will always work