Share via

Are the Certificates uploaded to a Web App or Function App on Azure shared across all apps in the same Resource Group?

Omkar Khair 11 Reputation points
2020-09-10T13:09:01.057+00:00

I have 3 Functions Apps running on their own independent App Service Plans all deployed to a single Resource Group. One of the apps requires a private key certificate which was uploaded to its certificate store (refer screenshot). I realized that the certificate starts appearing across all the function apps in the same resource group. I looked at the documentation and could not find this behavior documented https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code.

23833-image.png

I initially suspected this to be rooted to my DevOps pipeline where I assumed that these certificates were getting uploaded but that did not turn out to be true. On further investigation I realized that the Certificate Object ID in the REST API indicates that the certificate is scoped at the Resource Group level. 

/subscriptions/{SUBSCRIPTION_ID}/resourceGroups/{RESOURCE_GROUP_NAME}/providers/Microsoft.Web/certificates/{CERTIFICATE_THUMBPRINT}-{RESOURCE_GROUP_NAME}-{REGION}webspace"

I want to know if my understanding is correct. If yes, where can I find the documentation explaining this behavior (I have most likely skipped reading some key literature). If not, what could be leading to be functions sharing their certificates?

Note: I have been able to reproduce this behavior on another subscription with Web Apps.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,932 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,968 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MayankBargali-MSFT 70,941 Reputation points Moderator
    2020-09-11T07:11:55.827+00:00

    Hi @Anonymous

    This is expected behavior as the certificates are uploaded to the webspace and the webspace is bind to the resource group. You can navigate to https://resources.azure.com/ and select your resource group. Under providers, you will find Microsoft.Web/certificates and you will see all uploaded certificates to your resource group.

    24019-image.png

    The ARM template stats the same as the type "Microsoft.Web/certificates". Once you have uploaded the certificate then you need to bind the certificate to the web app. The 'Automate the script' section talks about binding the uploaded SSL certificate to the web app.

    Thanks for your feedback as this is not documented and I will reach out to my team to document this behavior. Please let me know if you have any queries.

    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.