Share via

Is it possible to add an Enterprise self-signed SSL certificate to the trust store of an Azure App Service Environment?

McManis, Kenneth 20 Reputation points
2024-03-20T02:14:48.77+00:00

As the title suggests, we are running standard enterprise level external traffic decryption and experiencing exceptions on the SSL validation step in our App Services. We are looking to remediate this in the most secure way possible in our Azure environment. According to the documentation here https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex#can-i-configure-a-private-ca-certificate-on-my-app it seems it is entirely possible in an ASE. Can I add our internal cert to the trust store in an App Service Environment? And would that then cause all the resources within to trust our cert just as our on-premises IIS environments do?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,933 questions
0 comments
Accepted answer
  1. Sina Salam 22,031 Reputation points Volunteer Moderator
    2024-03-20T12:24:07.3766667+00:00

    Hello McManis, Kenneth

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    Regarding to your questions, you would like to clarify your discoveries in the Microsoft documentation. You have asked the followings:

    1. Can you add your internal cert to the trust store in an App Service Environment and
    2. Would that then cause all the resources within to trust our cert just as our on-premises IIS environments do.

    To the question 1, absolutely! Yes. By adding your internal certificate to the trust store, you are essentially instructing the ASE to trust connections secured by that certificate, similar to how your on-premises IIS environments operate. However, always thoroughly test the changes to ensure they meet your security and operational requirements and there are some considerations to keep in mind.

    1. Having sufficient permissions to manage the trust store within the ASE.
    2. The certificate should be in the appropriate format (typically PEM or PFX).
    3. The impact is that by adding your internal certificate to the trust store will make it trusted by resources within the ASE.
    4. Validate that the resources within the ASE are indeed trusting the certificate as expected.

    I hope this is helpful! Do not hesitate to let me know if you have any other question(s) on configurations.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.