The first thing to remember is that in the old days CSR had to be generated on the server that had the certificate installed. If you have an Azure App Service or "Classic VM" as a service also known as Platform as a service (PaaS) you do not have access to the IIS folder / directory or in the VM case the operating system. Most CSR generation instructions start “Log into your Server”. With PaaS you can’t do this! However this is not the roadblock it appears. Even for the recommended link from Microsoft:
The instructions start “On your Windows server, download and save”.
To Generate your CSR without access to the operating system (PaaS)
Just do this process on your local (windows?) PC.
Now run the app, you will get a window something like this:
Select SSL and click on the “Create CSR” link.
You now get a form to fill in. Remember if you are generating a wild-card certificate for sub domains you need to enter “*.ava.co.uk” for the “ava.co.uk” domain (using your domain name of course!)
The app is quite nice because as you click on each box you get appropriate help information alongside.
When you are done, click generate.
Now go through the payment and authentication rigmarole of the certificate supplier of your choice: for example we use
They are all the same certificates you would get from a premium site or premium web site supplier, just not premium prices.
Updating the IIS SSL app service in Azure PaaS
Provided you have a new CRT (generated by the company who accepted the CSR) and the private key.
You need to generate a pfx file with a secure password. There are three options:
If you choose this option, just follow the https://www.digicert.com/csr-creation-ssl-installation-windows-azure-website.htm article. You will however get an information error when you follow their instructions
You can ignore this.
Install an OpenSSL command line utility
Stack overflow has a simple explanation:
Command is inside bin folder of OpenSSL installation
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt
domain.name.key contains the private key
domain.name.crt contains the crt file
out file parameter domain.name.pfx contains the resulting pfx.
You will be asked to provide a password once the command is run.
If we don’t specify a path for any of the files the generated file will be in the bin folder of Win32OpenSSL installation.
Updating IIS app service certificate in Azure PaaS
You have to select each app service and upload the certificate and bind it to the sites under the app service.
The best way is probably to use the filter on the all resources page deselecting "all" and selecting "app service", then click outside the list.
The result will be those app services you need to update certificates for (under this account)
Select each one in order and scroll down to SSL certificates where you will find the Upload certificate (Not Import App services certificate):
The new certificate should appear:
You should now explicitly add Bindings for subdomains using the "Add bindings". The binding will overwrite and NOT be updated automatically so make sure the thumbprint under the certificate binding list is the one from the recently added certificate (green)
So make sure you have the binding notification:
You can check the certificate installation at this service:
This will be the binding for the primary site azure app service.
Now is a good time to delete the old certificate by clicking on the ellipsis of the certificate name you don't want:
Finally you should get a reassuring summation in your notifications panel (read from bottom up to see in chronological order). You will get additional binding notifications for each app service in turn.
It's probably a good time to check you have your SSL redirect on, so under the consistently named Custom Domains / Hostnames just above your SSL certificate blade, check HTTPS only:
Updating a classic Windows VM PaaS in Azure
So no consistent interface here! With a classic Windows VM service:
Once you have generated your cer file with its' password, Navigate to the Classic service in your Azure portal and scroll down, but this time to Certificates and you do want "upload":
A side panel will open and this time you want to upload the "*.cer" file. At the time of writing the UI does not give any hints on file type (referring only to certificate...) and also when you type in the password, the mandatory password field remains blank...
Still click upload at the bottom of the panel..
Finally you should get a reassuring notification.