Wildcard Azure App Service certificate usage for subdomains?

Question

Wildcard Azure App Service certificate usage for subdomains?

EnterpriseArchitect 6,041

I already have the Wildcard Azure App Service SSL certificate *.mydomain.com using: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?tabs=portal

it is now available under the: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.CertificateRegistration%2FcertificateOrders

However, I have now the requirements to secure the application deployed using my subdomains:

*.Portal1.mydomain.com *.Portal2.mydomain.com ... *.PortalX.mydomain.com

Do I need to purchase any additional certificates for the Wildcard Azure App Service SSL certificate *.mydomain.com is already enough?

Any help would be greatly appreciated.

1 answer

Your answer

Answer 1

TP 123.9K Volunteer Moderator

Hi,

You will need new wildcard certificates since they only work for one level. For example, *.mydomain.com works for portal1.mydomain.com, portal2.mydomain.com, portal3.mdomain.com hosts, but will not work for host1.portal1.mydomain.com, host2.portal1.mydomain.com since they are at another level deep.

If you want you can obtain your wildcards for free from Let's Encrypt, but downside is you will need to script the renewals or manually upload them into app service.

Please click Accept Answer if the above was useful.

Thanks.

-TP

EnterpriseArchitect 6,041 Reputation points

2023-10-06T03:47:33.2566667+00:00

@T P ,

Thank you for the confirmation, what makes the wildcard SSL certificate different between the Azure App Service (GoDaddy) and the LetsEncrypt?
TP 123.9K Reputation points Volunteer Moderator

2023-10-06T06:05:55.2233333+00:00

Besides the fact that the Let's Encrypt certificates are free and App Service certificates are not free, the root certificate authority and the integration with app service.

With Let's Encrypt, there is no integration, so you would need to set up an Azure Automation job or similar to run daily. This job would check if certificate is nearing expiration (say, 1 month prior), if yes, run powershell script using posh-ACME (or similar) to obtain new certificate and replace it in your app service. Perhaps someone has written script for this already and made it available on GitHub, or maybe I'll post one at some point, unsure.
EnterpriseArchitect 6,041 Reputation points

2023-10-06T06:12:27.9+00:00

TP,

Yes, that does make sense.

Sure, please share the script here when you get the chance.

Thank you.
TP 123.9K Reputation points Volunteer Moderator

2023-10-06T06:28:33.1533333+00:00

Before making publicly available I need to document and add additional error handling/hardening so that it is able to be supported. This is time consuming due to the amount of potential different configurations, different ways people might accidentally set things up incorrectly, etc.

For above reasons I don't have timeframe when I will publish it, but it is something I will do eventually.

Share via

Wildcard Azure App Service certificate usage for subdomains?

1 answer

Your answer