Azure Content Delivery Network
An Azure service that provides global content delivery and acceleration.
Enable CDN MANAGED Certificate using Bicep
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 43%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
kade
11
Reputation points
I have been trying to enable CDN MANAGED Certificate using Bicep but I am not able to get it to work.
I used the PowerShell command: Enable-AzCdnCustomDomainHttps but it only enable the Default CDN Certificate but not the Managed one.
The certificate that I am using for the CDN is already created in different RG.
param profileName string = 'testresearchcdn'
@Allowed([
'Standard_Verizon'
'Premium_Verizon'
'Custom_Verizon'
'Standard_Akamai'
'Standard_ChinaCdn'
'Standard_Microsoft'
'Premium_ChinaCdn'
'Standard_AzureFrontDoor'
'Premium_AzureFrontDoor'
'Standard_955BandWidth_ChinaCdn'
'Standard_AvgBandWidth_ChinaCdn'
'StandardPlus_ChinaCdn'
'StandardPlus_955BandWidth_ChinaCdn'
'StandardPlus_AvgBandWidth_ChinaCdn'
])
param sku string = 'Standard_Microsoft'
param endpointName string = 'testresearchcdn'
@description('Whether the HTTP traffic is allowed.')
param isHttpAllowed bool = true
@description('Whether the HTTPS traffic is allowed.')
param isHttpsAllowed bool = true
@description('Query string caching behavior.')
@Allowed([
'IgnoreQueryString'
'BypassCaching'
'UseQueryString'
])
param queryStringCachingBehavior string = 'IgnoreQueryString'
@description('Content type that is compressed.')
param contentTypesToCompress array = [
'text/plain'
'text/html'
'text/css'
'application/x-javascript'
'text/javascript'
]
@description('Whether the compression is enabled')
param isCompressionEnabled bool = true
@description('Location for all resources.')
param location string = 'global'
resource testresearchcdn 'Microsoft.Cdn/profiles@2020-09-01' = {
name: profileName
location: location
properties: {}
sku: {
name: sku
}
}
resource Microsoft_Cdn_profiles_endpoints_testresearchcdn 'Microsoft.Cdn/profiles/endpoints@2020-09-01' = {
name: endpointName
parent: testresearchcdn
location: location
properties: {
originHostHeader: 'testresearchcdn.blob.core.windows.net'
isHttpAllowed: isHttpAllowed
isHttpsAllowed: isHttpsAllowed
queryStringCachingBehavior: queryStringCachingBehavior
contentTypesToCompress: contentTypesToCompress
isCompressionEnabled: isCompressionEnabled
origins: [
{
name: 'testresearchcdn-blob-core-windows-net'
properties: {
hostName: 'testresearchcdn.blob.core.windows.net'
}
}
]
}
}
resource test_researchcdn_example_com 'Microsoft.Cdn/profiles/endpoints/customDomains@2016-04-02' = {
name: 'test-researchcdn-example-com'
parent: Microsoft_Cdn_profiles_endpoints_testresearchcdn
properties: {
hostName: 'test-researchcdn-example-com'
}
}
resource example_wildcard_2019 'Microsoft.Cdn/profiles/secrets@2020-09-01' = {
name: 'KeyVault1'
parent: testresearchcdn
properties: {
parameters: {
type: 'CustomerCertificate'
certificateAuthority: 'OU=http://certs.godaddy.com/repository/'
secretSource: {
id: '/subscriptions/xxxxxxxxxxxxxxxxxxxxxx/resourceGroups/BIBProdPSEARG01/providers/Microsoft.KeyVault/vaults/xxxxxxxx/certificates/certName/xxxxxxxxxxxxxxxxxxxxxxxxxx'
}
secretVersion: ''
subjectAlternativeNames: [
'*.example.com'
'example.com'
]
useLatestVersion: false
}
}
dependsOn: [
test_researchcdn_example_com
]
}
Azure Content Delivery Network
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 27,671 Reputation points Microsoft Employee Moderator2022-01-05T18:17:09.473+00:00 Hello @kade , Is your Azure CDN custom domain a root or apex domain? if yes then CDN-managed certificates are not available for root or apex domains. Reference document -> https://learn.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-1-default-enable-https-with-a-cdn-managed-certificate
If you custom domain is root or apex domain, then solution will be to use your own certificate and integrate it via Key-Vault, if I am not wrong I think you have already done this in the bicep script shared above.
Hope this helps, please let me know if you have any additional questions. Thank you! -
kade 11 Reputation points
2022-01-05T18:53:01.21+00:00 We are using our own Certificate. My only problem is to enable Custom Domain HTTPS to use my own Certificate with Bicep. I can do that on the portal. I have tried with arm template but i could not get it to work, this is why I am using bicep.
Here are my step:
// retrieve certificate
resource certificateName_resource 'Microsoft.Web/certificates@2021-02-01' existing = {
name: certificates_name
scope: resourceGroup('RG01')
}resource example_wildcard_2019 'Microsoft.Cdn/profiles/secrets@2020-09-01' = {
name: 'KeyVault1'
parent: testresearchcdn
properties: {
parameters: {
type: 'CustomerCertificate'
certificateAuthority: certificateName_resource.properties.issuer
secretSource: {
id: '/subscriptions/xxxxxxxxxxxxxxxxxxxxxx/resourceGroups/RG01/providers/Microsoft.KeyVault/vaults/xxxxxxxx/certificates/certName/xxxxxxxxxxxxxxxxxxxxxxxxxx'
}
secretVersion: ''
subjectAlternativeNames: [
'*.example.com'
'example.com'
]
useLatestVersion: false
}
}
dependsOn: [
test_researchcdn_example_com
]}
-
ChaitanyaNaykodi-MSFT 27,671 Reputation points Microsoft Employee Moderator
2022-01-06T08:38:03.413+00:00 Hello @kade , Thank you for the clarification. As we try an debug this issue could you please share any errors you got while running this bicep script?
-
kade 11 Reputation points
2022-01-06T15:16:44.477+00:00 Hello @ChaitanyaNaykodi-MSFT , thanks for getting back to me. This is the error im getting:
{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed.
Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details":[{"code":"BadRequest","message":"{\r\n \"error\": {\r\n \"code\": \"BadRequest\",\r\n
\"message\": \"That action isn’t allowed in this profile.\"\r\n }\r\n}"}]}}When I set certificateAuthority: 'O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2' copied from the portal
Can you verify if I'm referencing the secretSource and certificateAuthority correct?
-
ChaitanyaNaykodi-MSFT 27,671 Reputation points Microsoft Employee Moderator
2022-01-10T03:56:04.537+00:00 Hello @kade , apologies for the delayed response here. I have reached out to the team internally regarding this issue, and I will make an update here as soon as I have a response. Thank you!
Sign in to comment
Sign in to answer