I have Azure Web Apps with the custom domains already up and running in the production environment service as service.domain.com, the SSL certificate has expired today and I wanted to integrate the Wild Card App Service certificate that I have purchased *.domain.com How can I achieve this and what steps must I take to prevent outage of the Web App? Thank you.

@EnterpriseArchitect If you have already purchased the Wildcard App Service certificate from Azure you can simply select the certificate from the list of available certificates in the "Bindings" section of the "TLS/SSL settings" page for your App Service app. To do this, follow these steps: Go to the Azure portal and navigate to your App Service app. In the left-hand menu, click on "custom domains" blade Click on "Add binding" and add a new binding for your custom domain. Select the Wildcard App Service certificate from the dropdown menu and click "Add binding". Note there is not really a risk of downtime since your certificate is already expired. One final item, if you were using an IP based SSL binding, there is a chance your inbound IP address will likely change over the next week or two (letting IP based SSL expire puts the private IP address back into the pool of available addresses for other customers). If your original binding was SNI SSL, you have nothing to worry about. Once you have completed these steps, your Wildcard App Service certificate will be bound to your custom domain, and you can proceed with configuring auto-renewal.

Configuring the Wildcard App Service certificate to auto renew on the Azure Web Apps ?

Accepted answer

brtrach-MSFT 15,256 Reputation points Microsoft Employee

2024-02-15T03:24:51.15+00:00
@EnterpriseArchitect If you have already purchased the Wildcard App Service certificate from Azure you can simply select the certificate from the list of available certificates in the "Bindings" section of the "TLS/SSL settings" page for your App Service app.

To do this, follow these steps:

Go to the Azure portal and navigate to your App Service app.

In the left-hand menu, click on "custom domains" blade

Click on "Add binding" and add a new binding for your custom domain.

Select the Wildcard App Service certificate from the dropdown menu and click "Add binding".

Note there is not really a risk of downtime since your certificate is already expired.

One final item, if you were using an IP based SSL binding, there is a chance your inbound IP address will likely change over the next week or two (letting IP based SSL expire puts the private IP address back into the pool of available addresses for other customers). If your original binding was SNI SSL, you have nothing to worry about.

Once you have completed these steps, your Wildcard App Service certificate will be bound to your custom domain, and you can proceed with configuring auto-renewal.
Please sign in to rate this answer.

1 person found this answer helpful.
EnterpriseArchitect 4,741 Reputation points

2024-02-15T05:32:39.8733333+00:00

Hi @brtrach-MSFT ,
Not sure if this is the limitations of the Azure Key Vault (AKV) or the Azure App Service Certificate (ASC), I have purchased The Wildcard SSL certificate to secure my Web Apps and App Service, using this procedure: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?source=recommendations&tabs=portal#buy-and-configure-an-app-service-certificate However, I cannot view or select the SSL Certificate in the KeyVault under the Web App | Settings | Custom Domains. Does this mean, the Azure KeyVault limitation cannot Automatically export or publish the Certificate under Key V__ault | Objects | Certificates__? My goal here is to make the Web App SSL certificate auto-renew forever, so I do not need to manually Export the Wildcard App Service certificate to the Key vault | Objects | Certificates section every year, and then update the binding under Web App | Settings | Custom Domains section.

brtrach-MSFT 15,256 Reputation points Microsoft Employee

2024-02-21T21:32:42+00:00

@EnterpriseArchitect If you purchased the wildcard cert through the App Service Certificates product in Azure, it should be straight forward. I completed the same process as your described and have left my notes below. As you can see, I am able to select the SSL certificate in the Web App > Settings > Custom Domains section. My best guess is that you may not have completed step 1, which in my case, I was not able to see the wildcard certificate. You should not have to export the certificate as it's automatically placed into a key vault when completing step 1 as shown in the below screenshot.

First item is to go to App Service Certificates and select your wildcard certificate

Under Settings go to "Certificate Configuration"

Ensure that you have completed all three steps below and that you've got three green check marks

From here, go to the Web App>Settings>Custom domains>Add binding.

Select Source as "import App Service Certificates"

Note that your certificates must have been issued (check the status of your cert if it does not show up. It may not have completed validation with the issuer and this might be your issue. I assume your certificate is not expired since you just purchased it.

If you have followed the above steps and auto renewal is turned on, you will not have to do anything as the certificate will update going forward.

If you manually exported the wild card cert, added it to a key vault, and are now trying to manually add it to a web app, this will not work with auto renewal and will require you to manually add it.

Please review the above and let me know the outcome. We look forward to your reply.

EnterpriseArchitect 4,741 Reputation points

2024-02-22T01:49:07.3766667+00:00

@brtrach-MSFT ,
Many thanks yes, it now makes more sense. I appreciate your detailed instructions.

brtrach-MSFT 15,256 Reputation points Microsoft Employee

2024-02-22T03:32:30.18+00:00

@EnterpriseArchitect Glad to help! I hope you have a great day.
Sign in to comment

Configuring the Wildcard App Service certificate to auto renew on the Azure Web Apps ?

0 additional answers