Share via

Clarification Needed: Certificate Bindings in Function Apps and App Services

Cosmina Alexandra Jelea (RO) 165 Reputation points
2023-08-28T06:12:51.5133333+00:00

Hello,

I'm seeking clarity on how certificates work in the context of Function Apps and App Services in Azure. Here's my current setup:

  • Multiple Function Apps have two certificates uploaded in their respective "Certificates" sections, the second being for testing.
  • Under "Custom Domains" for these Function Apps, there's no explicit certificate binding, only the default domain (*.azurewebsites.net).
  • Only two App Services have explicit bindings set, utilizing one of the mentioned certificates.

With this context, my questions are:

Does the presence of the certificates in the Function Apps simply result from a propagation since they share a resource group with the App Services? In essence, are the certificates in the Function Apps inactive due to no explicit bindings, making only the two App Services the real users of these certificates?

If the primary certificate used for the App Services expires, will Azure automatically bind and use the other available certificate? If not, do I need to manually set this binding? Without manual intervention post-expiration, will my App Services be rendered inaccessible?

I appreciate any insights you can provide. Thank you in advance!

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,932 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,968 questions
0 comments
Accepted answer
  1. SnehaAgrawal-MSFT 22,706 Reputation points Moderator
    2023-09-04T11:31:38.2866667+00:00

    @Cosmina Alexandra Jelea (RO)

    Thanks for reaching here! Yes, the presence of the certificates in the Function Apps may be due to propagation since they share a resource group with the App Services. The certificates in the Function Apps are inactive due to no explicit bindings, making only the two App Services the real users of these certificates.

    A certificate uploaded into an app is stored in a deployment unit that is bound to the app service plan's resource group and region combination (internally called a webspace). This makes the certificate accessible to other apps in the same resource group and region combination.

    If you are using cert store( key vault ) to store you ssl certificates then you need to pass the key vault certificate uri as application setting to the functions app.

    You can store the public cert under the function app TTL/SSL settings & refer this documentation for accessing the certificate in your application code. 

    Regarding your second question, if the primary certificate used for the App Services expires, Azure will not automatically bind and use the other available certificate. You will need to manually set this binding. If you do not take any action post-expiration, your App Services will be rendered inaccessible.

    To avoid this situation, it is recommended that you set up a certificate renewal process to ensure that your certificates are always up to date

     You may refer to below document link would be helpful.

    Let us know if further query.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.