Share via

Using a Centralized Trust Store for App Service and App Service Environments

Pallab Chakraborty 401 Reputation points
2021-01-27T04:31:54.1+00:00

Is it possible to use a centralized trust store so that an ASE/App Service can point to the centralized Trust store?
This will help in preventing the ASE to be updated with the required configuration. So a centralized trust store say per environment ( DEV, UAT, PRD) is a better option which would help in simplifying management of Certs.
Is the above possible and if possible can i use the same model for other resources like VMs, Functions that needs to make outbound HTTPS connections
What is happening is, App teams are now "baking in" required certs into compiled code, which is a bad practice with risk of outage, if the baked cert expires or need to be revoked say.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,666 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Grmacjon-MSFT 19,001 Reputation points
    2021-01-29T04:59:59.987+00:00

    Hi @Anonymous

    Thanks for your patience. yes, I believe this is possible. Please check out this documentation:

    https://learn.microsoft.com/en-us/azure/app-service/environment/certificates#private-client-certificate

    "To upload the certificate to your app in your ASE:

    -Generate a .cer file for your certificate.

    -Go to the app that needs the certificate in the Azure portal

    -Go to SSL settings in the app. Click Upload Certificate. Select Public. Select Local Machine. Provide a name. Browse and select your .cer file. Select upload.

    -Copy the thumbprint.

    -Go to Application Settings. Create an App Setting WEBSITE_LOAD_ROOT_CERTIFICATES with the thumbprint as the value. If you have multiple certificates, you can put them in the same setting separated by commas and no whitespace like

    84EC242A4EC7957817B8E48913E50953552DAFA6,6A5C65DC9247F762FE17BF8D4906E04FE6B31819

    The certificate will be available by all the apps in the same app service plan as the app, which configured that setting. If you need it to be available for apps in a different App Service plan, you will need to repeat the App Setting operation in an app in that App Service plan. To check that the certificate is set, go to the Kudu console and issue the following command in the PowerShell debug console: 

    dir cert:\localmachine\root

    To perform testing, you can create a self-signed certificate and generate a .cer file with the following PowerShell: 

    $certificate = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname "*.internal-contoso.com","*.scm.internal-contoso.com"  
  
$certThumbprint = "cert:\localMachine\my\" + $certificate.Thumbprint  
$password = ConvertTo-SecureString -String "CHANGETHISPASSWORD" -Force -AsPlainText  
  
$fileName = "exportedcert.cer"  
export-certificate -Cert $certThumbprint -FilePath $fileName -Type CERT

    Hope that helps. If you have further questions please let us know.

    Best,
    Grace

  2. Denis Kolman 1 Reputation point
    2021-07-22T14:52:01.463+00:00

    I have an app service with (P1v2) service plan and still no option to select localMachine as my store for a public certificate that we need for caling 3. party SOAP services.

    Is it posible to install this certificate to localcomputer trusted root certficate store?

    Thanks
    Denis

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.