Admins in organizations with several websites have the unenviable task of keeping an overview of all services that use the Secure Sockets Layer (SSL) certificates. These certificates, which are necessary for establishing an encrypted link between a server and a client, are often valid only for a few years and have to be changed periodically. For companies with several public-facing sites, such as those offering products as Software-as-a-Service (SaaS) solutions whose environments can grow quickly, changing the certificates regularly is particularly challenging.
Organizations can build an environment in Azure to simplify managing and changing them from a central location and safeguard cryptographic keys and secrets used by cloud applications and services. In this article, we will explain how to automate SSL certificate updates with App Services and Azure Key Vault.
What Are the Benefits of Using Key Vault with App Services?
There are many benefits of using Azure Key Vault with Azure App Services for rotating certificates.
- All SSL certificates can be stored securely and managed from a centralized location that simplifies operations.
- A new certificate version can be created for all the assigned websites using Azure Key Vault.
- Specific permissions, such as Get, List, Update, Create, Import, Delete, Recover, Backup, and Restore can be assigned to applications for access control.
- The solution can be from the Azure Portal with no/ minimal coding.
How to Deploy Azure Web App Certificate Using Azure Key Vault?
Azure Web App Service is a cloud computing-based platform as a service (PaaS) solution that is created and managed by Microsoft for publishing and hosting websites and applications. The domains used for the applications deployed using Azure Web App Service need a certificate binding to secure them. The cryptographic keys and secrets used by cloud applications and services can be safeguarded in Azure Key Vault. Here are the steps to store Azure Web Apps certificates in Azure Key Vault and bind them to websites.
- Purchase an appropriate App Service plan (Basic, Standard, Premium, or Isolated tier) that supports TLS/SSL bindings or enables client certificates.
- Create your app from the Azure portal and grant it a system-assigned identity to allow it to access the certificates that will be protected by Azure AD in Azure Key Vault. This will generate an Object ID for the website.
- Similarly, create an Azure Key Vault in the resource group used by the Azure App Service app, to which the certificate can be uploaded.
- Generate and download the pfx file that contains the public key file, the SSL certificate file, and the associated private key file, and import it to Azure Key Vault.
- Configure the access policy for the website using the Object ID generated earlier.
- Change the DNS records to point the custom domain to the Azure Service app, add the domain to App Service, and validate it.
- The custom domain can now be added to the website binding.
- Import the pfx stored in Azure Key Vault in the App Service TLS/SSL settings, and confirm that the site opens with HTTPS.
- When the certificate is about to expire, admins can generate a New Version of the certificate in Azure Key Vault and deploy it using the pfx and password.
Alternatively, organizations can opt for the free App Service Managed Certificate which is a turn-key solution for securing custom DNS names in App Service.
Apps4Rent Can Help with Azure Solutions
Malicious users are exploiting confidential details such as database connection strings, passwords, and private keys in application source code, and using Azure Key Vault is recommended for every software project in Azure, including websites that use Azure App Services.
As a Tier 1 Microsoft CSP with gold competency in Microsoft solution areas such as Cloud Platform and Cloud Productivity, Apps4Rent provides strategic guidance, implementation, adoption, and advisory services to help organizations transition seamlessly to the cloud. Contact our Microsoft certified cloud experts available 24/7 via phone, chat, and email for managed Azure services.