Managing resources in Azure has become easier (well, at least the interface looks better) since Microsoft launched the new portal (the one at portal.azure.com).
Let us see today how you upload, in the new portal, a renewed IP-based SSL certificate for your Azure web app.
- Needless to say, to upload a renewed certificate in Azure you need to have a renewed certificate. You don’t have to wait for the old certificate to expire before installing the new one, though: you can buy the new certificate in advance (one/two months is a pretty safe choice) and use it immediately. However, watch out that some third parties (for example: the bank that allows your eCommerce payments) may need to install the intermediate certificates of your new certificate in their “certificate store” before you replace the certificate in your web server. Check with them if this is the case.
- To renew an SSL certificate, you can talk to the issuer of the existing certificate. There are also DNS providers that issue SSL certificates for you via a Certification Authority they trust, so you don’t have to speak to another party.
- The new certificate must be in the .pfx format (password-protected) to get along with IIS (Azure also runs Apache actually, but I think most Azure websites are IIS presently. I may be wrong already and I will definitely be wrong in the future).
I explained how to create the .pfx certificate in this post. However, if your Certificate authority or DNS provider are very kind, you won’t have to go through any of that: they will create a .pfx for you, thank you very much. For instance, dnsimple has an interface that creates the pfx for you when you buy a certificate through them (they buy it at Comodo’s). Dnsimple also provides a matching password you will have to use in Azure in conjunction with the certificate:
The actual work
- Go to portal.azure.com
- Choose the blade (new portal terminology for a dynamic window) corresponding to your web app
- In the app’s settings, choose “Custom domains and SSL”
- Choose “Upload certificate”. Don’t be scared if you’re doing this ahead of time: before you bind the certificate to your site, nothing will change in the configuration. Plus, as we said, you can use the renewed certificate before the old one expires, unless a third party needs the intermediate certificates.
5. Once you upload the new certificate, the list of available certificates is incremented by one (see the “Certificates” section in the screenshot below: there is a “2017” certificate below the “2016”).
6. Now you would be tempted to ADD a new binding between your hostname and the new certificate. You would want to do that in the SSL bindings configuration (see “SSL bindings” in the screenshot above). Azure will allow you to do that; however, once you save and re-enter the blade, you will see that only the old certificate still has a binding to the hostname.
7. This is why you don’t ADD a new binding between the hostname and the new certificate: you update the existing binding. In the row corresponding to existing binding, select the new certificate you just uploaded and replace the old one, as you see below:
8. If your SSL is already IP-based, you won’t have to set the IP binding again: the old configuration is kept.
9. However, in order to check that the new Certificate chain is working, you can use an online tool like SSL shopper’s checker.
Just make sure that you are seeing the latest, non-cached situation in the tool!