Securing Your Azure Web App With SSL For Free
Say you have a nice little, probably nonprofit, web application on Azure Web App Service. And say you need to improve the security on this app with an SSL certificate, maybe you are collecting sensitive information from your users.
And because this app is probably non-profit, you do not want to buy a cheap PositiveSSL Certificate for less than $10, which then brings you here.
Okay then let me show you how I installed a valid SSL certificate on my Azure App for absolutely free and how you can do same.
Note that this is the manual approach. There is currently an azure extension that automates this process using LetsEncrypt.
Also, the certificate generated using this method has a three months validity period only.
Generating The Free Certificate
The first step is to generate the free certificate. This will not require you to generate a CSR (Certificate Signing Request) first. All you have to do is head to https://www.sslforfree.com and enter your domain name in the text bar and click on the “Generate Free SSL Certificate” Button.
Remember to enter both versions of your site URL (with and without www)
On the next page click on “Manual Verification (DNS)” and click on the “Manually Verify DNS” button that will appear below.
Note that you can choose any of the other verification options but I think DNS method is the most straight forward and least problematic for azure apps.
Next you will need to update you domain’s DNS records by adding TXT records as instructed on the page.
Read and follow the instructions on the page carefully to add the two TXT records as instructed. You will need to login to your domain registrar client area to be able to do this.
You can always contact you domain registration company for assistance with this setup. They should be able to help you resolve things in no time.
When this is done, verify your TXT records have propagated using the verify links on the page. Note that it might take up to 30 minutes for your records to properly propagate on the internet so you might have to wait a bit for that.
Once you have verified that your setup is correct and have propagated, you can click on the “Download SSL Certificate”. On the next page click on the “Download All SSL Certificate Files” to download a zip of the generated certificates and a private key file.
Converting to PFX
Because your azure app requires the certificate in PFX format and what you have now is a CRT certificate, you will need to do some converting. Usually this is done using tools like OpenSSL which requires you to download the tool and execute some commands, but we are not going to do any of that. We are going the easy, fast and convenient way. So we head over to this very useful online SSL tool https://www.sslshopper.com/ssl-converter.html.
Using the form on the page, upload your certificate.crt file as the certificate file to convert and private.key as the private key file. Skip the chain certificate fields and leave Type Of Current Certificate as Standard PEM. Then on Type To Convert To, select PFX/PKC5#12. Enter any easy to remember password you like in the Password field and make a note of it. You will need it later. Click on the Convert Certificate button to download your converted certificate.pfx certificate file. Now let’s head over to azure.
Installing and Configuring on Azure
Login to azure portal and go to the SSL Settings section of your web app.
Note that you must already have a custom domain setup for your web app to be able to install an SSL certificate for the app.
First thing you do is upload the PFX certificate generated previously. Second thing is to bind the certificate to your domain name.
Click on the “Private Certificate (.pfx)” tab to open the certificate upload panel. Click on the Upload Certificate link to open the upload form in the side pane.
Select your PFX certificate file and enter the password you used while generating the PFX certificate in the password field (I told you you’ll need it later). Then click on the upload button at the bottom of the form to upload the certificate.
Next click on the Bindings tab to go back to the bindings panel. Then click on the Add SSL Binding button to open the SSL Bindings side pane.
Choose your domain name from the hostname dropdown field, and choose the certificate you just uploaded from the private certificate field. On the SSL Type field, choose “SNI SSL” (because your certificate was issued using Server Name Indication instead of IP Address), and click on the “Add Binding” button to complete the process.
You can now navigate to your website via HTTPS and look out for the green “Secured” lock icon!
Certificate Renewals
Just one more thing. Don’t forget to go back every three months and repeat these steps to renew your certificate. Like I mentioned earlier, this certificate is only good for three months!
Congratulations! You’ve made it to the end of this post!
If you like this post or find it interesting please don’t hesitate to give it a clap or two or three, you know you can just keep clapping, I’ll appreciate. Also feel free to share it!
You can also check out my other posts on Deploying Spring Boot Apps on Azure and Deploying Spring Boot App as Windows Service.
