• Home  |
  • Support  |
  • FAQ  |
  • Azure  |
  • Create a CSR (certificate signing request) for an azure app service (Paas)

FAQ - Azure

Question
Create a CSR (certificate signing request) for an azure app service (Paas)
Answer

The first thing to remember is that in the old days CSR had to be generated on the server that had the certificate installed. If you have an Azure App Service or "Classic VM" as a service also known as Platform as a service (PaaS) you do not have access to the IIS folder / directory or in the VM case the operating system. Most CSR generation instructions start “Log into your Server”. With PaaS you can’t do this! However this is not the roadblock it appears. Even for the recommended link from Microsoft:

https://www.digicert.com/csr-creation-ssl-installation-windows-azure-website.htm

The instructions start  “On your Windows server, download and save”.

 

To Generate your CSR without access to the operating system (PaaS)

 

Just do this process on your local (windows?) PC.

Now run the app, you will get a window something like this:

 

Windows Azure Website CSR Creation SSL Certificate Installation 1

 

Select SSL and click on the “Create CSR” link.

 

You now get a form to fill in. Remember if you are generating a wild-card certificate for sub domains you need to enter “*.ava.co.uk” for the “ava.co.uk” domain (using your domain name of course!)

 

The app is quite nice because as you click on each box you get appropriate help information alongside.

 

Windows Azure Website CSR Creation SSL Certificate Installation 2

 

When you are done, click generate.

 

Now go through the payment and authentication rigmarole of the certificate supplier of your choice: for example we use

https://cheapsslsecurity.com

They are all the same certificates you would get from a premium site or premium web site supplier, just not premium prices.

 

Updating the IIS SSL app service in Azure PaaS
Provided you have a new CRT (generated by the company who accepted the CSR) and the private key.

 

You need to generate a pfx file with a secure password. There are three options:

 

  • Continue with Digicert (easiest)
  • Install an OpenSSL command line utility from (for example Shining Light Productions)
  • Access a Unix machine or VM with the openSSL generation library

 

Digicert

 

If you choose this option, just follow the https://www.digicert.com/csr-creation-ssl-installation-windows-azure-website.htm  article. You will however get an information error when you follow their instructions

 

Windows Azure Website CSR Creation SSL Certificate Installation 7

 

You can ignore this.

 

Install an OpenSSL command line utility

 

Stack overflow has a simple explanation:

 stackoverflow.com  how to create pfx file from certificate and private key

  

slproweb.com products OpenSSL

 

Command is inside bin folder of OpenSSL installation

 

Windows Azure Website CSR Creation SSL Certificate Installation 3

 

Command:

 

openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt


domain.name.key contains the private key
domain.name.crt contains the crt file
out file parameter domain.name.pfx contains the resulting pfx.
You will be asked to provide a password once the command is run.

If we don’t specify a path for any of the files the generated file will be in the bin folder of Win32OpenSSL installation.


Updating IIS app service certificate in Azure PaaS

 

You have to select each app service and upload the certificate and bind it to the sites under the app service.

The best way is probably to use the filter on the all resources page deselecting "all" and selecting "app service", then click outside the list.


Windows Azure Website CSR Creation SSL Certificate Installation 4
 

The result will be those app services you need to update certificates for (under this account)

 

Windows Azure Website CSR Creation SSL Certificate Installation 5

 

Select each one in order and scroll down to SSL certificates where you will find the Upload certificate (Not Import App services certificate):

 

Windows Azure Website CSR Creation SSL Certificate Installation 6A

 

The new certificate should appear:

Windows Azure Website CSR Creation SSL Certificate Installation 8

 

You should now explicitly add Bindings for subdomains using the "Add bindings". The binding will overwrite and NOT be updated automatically so make sure the thumbprint under the certificate binding list is the one from the recently added certificate (green)

 

Certificate Binding

So make sure you have the binding notification:

Certificate Binding 2

 

You can check the certificate installation at this service:

 

sslshopper . com / ssl-checker

 

This will be the binding for the primary site azure app service.

 

Now is a good time to delete the old certificate by clicking on the ellipsis of the certificate name you don't want:

 

Certificate Binding 5

 

And notification

 

Certificate Binding 3

 

 Finally you should get a reassuring summation in your notifications panel (read from bottom up to see in chronological order). You will get additional binding notifications for each app service in turn.

 

Windows Azure Website CSR Creation SSL Certificate Installation 9

 

It's probably a good time to check you have your SSL redirect on, so under the consistently named Custom Domains / Hostnames just above your SSL certificate blade, check HTTPS only:

 

Certificate Binding 4A

 

 

Updating a classic Windows VM PaaS in Azure 

 

So no consistent interface here! With a classic Windows VM service:

 

Once you have generated your cer file with its' password, Navigate to the Classic service in your Azure portal and scroll down, but this time to Certificates and you do want "upload":

 

Classic Could Service 1A

 

A side panel will open and this time you want to upload the "*.cer" file. At the time of writing the UI does not give any hints on file type (referring only to certificate...) and also when you type in the password, the mandatory password field remains blank...

 

Classic Could Service 2

Still click upload at the bottom of the panel..

 

Finally you should get a reassuring notification.

 

Classic Could Service 3

 

 

 

If you found this information useful, please share it!


This FAQ was last updated on Tuesday, February 20, 2018

Contact Information

To find out more about Ava solutions you can contact us in a number of ways:
Follow Us...