Private key certificates
Private key certificates are .pfx certificates you have received from your Certificate Authority (CA) or trusted third-party provider. You can upload these certificates directly to an App Ser- vice or upload them to an Azure key vault that can be integrated with an App Service.
Private certificates must be password-protected, be encrypted using triple DES, be at least 2048 bits, and contain all intermediate and root certificate in the certificate chain. If you plan to use the certificate with a custom domain, the certificate must contain an Extended Key Usage attribute for server authentication.
To add a private key certificate to an App Service, navigate to the Certificates blade of the App Service and select the Bring Your Own Certificate (.pfx) tab. On this tab, click Add Certificate.
On the Add Private Key Certificate blade, there are three options in the Source drop-down menu:
- Import From App Service This can be used if you previously uploaded a certificate.
- Upload Certificate (.pfx) Select this option if you plan to upload the certificate directly to the App Service.
- Import From Azure Key Vault Select this option if you have uploaded the certificate to an Azure Key Vault and plan to point the App Service to the Key Vault to obtain the certificate.
If you select Upload Certificate (.pfx), you will be prompted for information to upload the certificate, including
- PFX Certificate File
- Certificate Password
- Certificate Friendly Name
Complete the fields and then click Validate, as shown in Figure 3-79. After validation completes, click Add to upload the certificate to the App Service.
FIGURE 3-79 Add a private key certificate
To manage the domain and the certificate separately, you must associate the certificate with the domain by adding bindings to the domain. To add bindings, navigate to the App Service and then select Custom Domains. On the Custom Domains blade, select Add Bindings for the domain that you added and have a certificate for (refer to Figure 3-76).
On the Add TLS/SSL Binding blade, displayed in Figure 3-80, in the Certificate drop-down menu, select the certificate you uploaded to the App Service; then click Add. The certificate will be associated with the custom domain.
FIGURE 3-80 Add TLS/SSL Binding
Public key certificates
Public key certificates can be uploaded directly to an App Service and must be in a .cer file for- mat without a private key. On the Public Key Certificates tab of the Certificates blade, click Add Certificate. You will be prompted to upload the .cer file and provide a friendly name, as shown in Figure 3-81. Click Add to upload the certificate.
FIGURE 3-81 Add a public key certificate