Configure TLS/SSL certificates

Create and configure Azure App Service

📘Microsoft Certified: Azure Administrator Associate (AZ-104)

Securing web applications is a key responsibility of an Azure Administrator. One of the most important security tasks is enabling HTTPS using TLS/SSL certificates in Azure App Service.
This ensures that data sent between users and your web application is encrypted, trusted, and protected from interception.

This topic often appears in the AZ-104 exam, so you must clearly understand how certificates work in App Service, how to upload them, how to bind them, and how to manage them.

1. What is TLS/SSL in Azure App Service?

TLS/SSL (Transport Layer Security / Secure Sockets Layer) is the encryption technology used to secure communication between a user’s browser and your web app.

When you enable HTTPS for your App Service:

  • Data is encrypted.
  • Users can confirm your site identity.
  • The browser displays HTTPS with a secure padlock.
  • Your site improves security compliance standards.

Azure App Service supports SSL for custom domains — meaning you must configure TLS/SSL when you bring your own domain, such as:

www.companyapp.com
portal.company.com

2. Types of Certificates Supported in Azure App Service

Azure App Service supports two main certificate types:

(1) Public Certificates

Used by your web app to prove its identity to clients.

Azure supports:

a. Private Certificates (Recommended)

These contain a private key and are used for HTTPS bindings.

Formats supported:

  • .pfx (with password)

You can:

  • Upload your own certificate
  • Purchase from Azure
  • Import from Azure Key Vault

b. Free App Service Managed Certificate

  • Completely free
  • Auto-renewed
  • Good for simple HTTPS setups
  • Only supports domain validation (DV)
  • Not allowed for wildcard domains (e.g., *.contoso.com)
  • Not allowed for root domain (e.g., contoso.com) unless DNS is managed in Azure DNS

(2) Private Certificates for Client Authentication

These allow your app to authenticate incoming client certificates (mutual TLS).

3. Ways to Get Certificates in Azure App Service

Azure offers several methods for obtaining and using TLS/SSL certificates:

A. App Service Managed Certificate (Free)

Azure generates a free certificate for you.

Key points for the exam:

  • Free but only supports basic SSL (TLS).
  • Cannot be exported.
  • Cannot be used for wildcard or SAN certificates.
  • Auto-renew every 6 months.
  • Must use Azure DNS for DNS-based domain validation.

Used when you need a quick HTTPS setup.

B. Bring Your Own Certificate (BYOC)

You can upload your own .pfx certificate.

Where can you get certificates?

  • Third-party CA (GoDaddy, DigiCert, GlobalSign)
  • Internal enterprise CA
  • Azure Key Vault

Exam tip:
Only .pfx format certificates with private key can be used for SSL bindings.

C. Buy a Certificate from Azure

Azure allows you to buy certificates directly in the portal.

Features:

  • Automatically stored as Key Vault secret
  • Can be auto-renewed
  • Uses DigiCert as certificate provider

4. Uploading and Managing Certificates

To upload a certificate:

Go to:
App ServiceTLS/SSL SettingsPrivate Key Certificates (.pfx)Upload Certificate

You must provide:

  • .pfx file
  • Password for the certificate

Azure stores it securely inside the App Service environment.

5. Bind a Certificate to Your Custom Domain

Once uploaded, you must bind the certificate to a custom domain.

Steps:

  1. Go to Custom Domains
  2. Add your domain (validate using CNAME or A record)
  3. Go to TLS/SSL Settings → Bindings
  4. Select:
    • Custom domain
    • Certificate
    • TLS/SSL type (SNI SSL or IP-based SSL)

SNI SSL (Most Common)

  • Multiple SSL certificates can share one IP.
  • Uses Server Name Indication.
  • Cheaper and recommended.

IP-based SSL

  • Dedicated IP address assigned to the app.
  • More expensive.
  • Rarely needed unless device compatibility demands it.

Exam tip:
SNI SSL is the recommended method for most App Services.

6. Enforce HTTPS Only

Azure App Service allows you to force all traffic to HTTPS.

Steps:

  • Go to TLS/SSL Settings
  • Enable HTTPS Only

This ensures all insecure HTTP traffic is redirected.

Exam focus:

  • Always enable HTTPS Only when protecting App Service apps.

7. Certificate Storage and Security

Certificates uploaded to App Service are stored securely using encryption.

You can also store and manage certificates using Azure Key Vault.

Advantages of Key Vault:

  • Centralized secure storage
  • Automatic renewal (for supported certificates)
  • Role-based access control (RBAC)
  • Automatic sync of certificates with App Service

Exam note:
App Service can auto-sync certificates from Key Vault every 24 hours.

8. Certificate Renewal

Important for exam:

  • App Service Managed Certificates auto-renew automatically
  • Certificates from Key Vault renew if Key Vault is configured for auto-rotation
  • Manually uploaded certificates must be re-uploaded when renewed
  • SSL bindings remain but must be updated if certificate thumbprint changes

9. Mutual TLS (Client Certificate Authentication)

Azure App Service supports client certificate authentication, where clients must present certificates to access the app.

Steps:

  1. Enable client certificates:
    App Service → Settings → Configuration → General Settings → Client Certificate Mode
  2. App receives certificate details through request headers
  3. Your application code must validate the certificate

Used in IT for:

  • Internal applications
  • API-to-API communication
  • Internal enterprise networks needing strong authentication

10. Common AZ-104 Exam Scenarios

Be prepared to answer questions like:

Scenario 1

“Your web app must use HTTPS. You need a free certificate. DNS is hosted in Azure. What should you use?”

Answer:
App Service Managed Certificate

Scenario 2

“You need a wildcard certificate for *.company.com. What should you do?”

Answer:
Upload a .pfx wildcard certificate (BYOC)
Azure’s free managed certificate does not support wildcard domains.

Scenario 3

“You purchased a certificate from a third-party CA. How do you use it?”

Answer:

  1. Convert it to .pfx
  2. Upload it under Private Key Certificates
  3. Bind it to your custom domain

Scenario 4

“Where should you store certificates for maximum security and automated rotation?”

Answer:
Azure Key Vault

Scenario 5

“What certificate type should you use for multiple websites on the same IP address?”

Answer:
SNI SSL

Summary (Exam-Ready Points)

To pass AZ-104, know these:

  • Difference between Managed, Uploaded, and Purchased certificates.
  • Only private key (.pfx) certificates support SSL binding.
  • Managed certificates are free, auto-renew, but have limitations.
  • Enable HTTPS Only for security.
  • Use SNI SSL unless a dedicated IP is required.
  • Key Vault provides secure storage and auto-sync features.
  • Certificates must be renewed before expiry to avoid downtime.
  • Mutual TLS requires enabling client certificate mode and validating in code.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by