Renewing an SSL certificate for a website hosted in Azure

Managing resources in Azure has become easier (well, at least the interface looks better) since Microsoft launched the new portal (the one at portal.azure.com).

Let us see today how you upload, in the new portal, a renewed IP-based SSL certificate for your Azure web app.

Prerequisites

  1. Needless to say, to upload a renewed certificate in Azure you need to have a renewed certificate. You don’t have to wait for the old certificate to expire before installing the new one, though: you can buy the new certificate in advance (one/two months is a pretty safe choice) and use it immediately. However, watch out that some third parties (for example: the bank that allows your eCommerce payments) may need to install the intermediate certificates of your new certificate in their “certificate store” before you replace the certificate in your web server. Check with them if this is the case.
  2. To renew an SSL certificate, you can talk to the issuer of the existing certificate. There are also DNS providers that issue SSL certificates for you via a Certification Authority they trust, so you don’t have to speak to another party.
  3. The new certificate must be in the .pfx format (password-protected) to get along with IIS (Azure also runs Apache actually, but I think most Azure websites are IIS presently. I may be wrong already and I will definitely be wrong in the future).
    I explained how to create the .pfx certificate in this post. However, if your Certificate authority or DNS provider are very kind, you won’t have to go through any of that: they will create a .pfx for you, thank you very much. For instance, dnsimple has an interface that creates the pfx for you when you buy a certificate through them (they buy it at Comodo’s). Dnsimple also provides a matching password you will have to use in Azure in conjunction with the certificate:
Download a pfx format certificate and password from dnsimple

Download a pfx format certificate and its password from dnsimple, or any provider that is “IIS-friendly”

The actual work

  1. Go to portal.azure.com
  2. Choose the blade (new portal terminology for a dynamic window) corresponding to your web app
  3. In the app’s settings, choose “Custom domains and SSL”
  4. Choose “Upload certificate”. Don’t be scared if you’re doing this ahead of time: before you bind the certificate to your site, nothing will change in the configuration. Plus, as we said, you can use the renewed certificate before the old one expires, unless a third party needs the intermediate certificates.
upload renewed pfx certificate in Azure

upload renewed pfx certificate in Azure

5. Once you upload the new certificate, the list of available certificates is incremented by one (see the “Certificates” section in the screenshot below: there is a “2017” certificate below the “2016”).

As you can see in the "certificates" section, I have a new one

As you can see in the “certificates” section, I have a new one

6. Now you would be tempted to ADD a new binding between your hostname and the new certificate. You would want to do that in the SSL bindings configuration (see “SSL bindings” in the screenshot above). Azure will allow you to do that; however, once you save and re-enter the blade, you will see that only the old certificate still has a binding to the hostname.

7. This is why you don’t ADD a new binding between the hostname and the new certificate: you update the existing binding. In the row corresponding to existing binding, select the new certificate you just uploaded and replace the old one, as you see below:

Choose the new certificate in the SSL binding

Choose the new certificate in the SSL binding

8. If your SSL is already IP-based, you won’t have to set the IP binding again: the old configuration is kept.

9. However, in order to check that the new Certificate chain is working, you can use an online tool like SSL shopper’s checker.

Just make sure that you are seeing the latest, non-cached situation in the tool!

SSL-checker

Check your SSL certificate in Azure via an SSL checker

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s