Certificates
Private certificates are used to secure custom domains. Public certificates are used to access remote resources. You can create, upload or import a private or public certificate into App Service.
| Type | Option | Description |
|---|---|---|
| private | create | Create a free certificate managed by Azure. |
| purchase | Purchase a private certificate with additional features over free. | |
| import | Import from KeyVault. | |
| upload | Upload a third party certificate. | |
| public | upload | Upload a public certificate. |
Private certificate requirements
Managed certificates already meet these requirements.
- PFX file
- Encrypted using triple DES
- Private key at least 2,048 bits
- Intermediate and root certificate included in chain
Additional requirements for TLS binding:
- Contains Extended Key Usage for server authentication (OID = 1.3.6.1.5.5.7.3.1)
- Signed by trusted certificate authority
Managed certificates
Managed certificates are fully managed TLS/SSL server certificates managed by App Service. They are automatically renewed 45 days before expiration.
Free certificates are issued by DigiCert. For some domains, you must explicitly allow DigiCert as a certificate issuer by creating a CAA domain record with the value: 0 issue digicert.com.
Azure fully manages the certificates on your behalf, so any aspect of the managed certificate, including the root issuer, can change at any time. These changes are outside your control. Make sure to avoid hard dependencies and "pinning" practice certificates to the managed certificate or any part of the certificate hierarchy.
Limitations (free)
- No wildcard support
- No private DNS support
- No App Service Environment (ASE) support
- Only supports alphanumeric characters, dashes and periods
- Only supports domains up to 64 characters
- Cannot be exported
Bonuses (paid)
When using the paid managed certificate, Azure handles:
- Purchase process
- Domain verification
- Key Vault maintenance
- Renewal
- Synchronisation across imported copies in App Service apps
If you have an App Service certificate (paid) already, you can import it into App Service.