How do I use Azure App Services with a custom selfsigned certificate and a client certificate?

Stefan Schranz 21 Reputation points
2022-04-08T12:05:59.143+00:00

Hello,

I have a question regarding custom certificates for Azure App Service.

My organization is currently trying to move a service to Azure Functions, but the endpoint needs to supply a custom SSL certificate signed by our internal CA (Which in turn uses a few intermediate CAs as well).

I properly uploaded the pfx containing my chain, and also verified it on an IaaS deployment, where the certificate is properly applied.

On an App Service however, I run into https://stackoverflow.com/questions/66983185/app-service-not-returning-full-certificate-chain-with-custom-tls-binding as well, the intermediate certs of our custom cert are not delivered, and the client is effectively unable to perform a valid SSL handshake.

As indicated by the SO post I went ahead and setup an Application Gateway. This solves the SSL certificate situation, but with this option I am unable to forward the client certificate to my app service. I found some resources which indicate that I need an App Gateway v2 to customize headers and forward the client cert through a header instead, but to be honest, paying >100$ for app gateway ingress just to have this working is a no-go for test environments.

What options do I have? Basically both approaches only solve 50% of the equation it seems.

I would like to get rid of the additional gateway layer completely and just do the whole setup on an App Service, but it seems like self-signed certs signed through a custom internal CA just don't work.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,370 questions
0 comments No comments
{count} votes

Accepted answer
  1. ajkuma 24,736 Reputation points Microsoft Employee
    2022-04-11T16:00:03.713+00:00

    StefanSchranz-3721, Apologies for the delayed response from over the weekend. Thanks for posting this great question.

    Just to highlight, App Service has a list of Trusted Root Certificates which you cannot modify in the multi-tenant variant version of App Service, but you can load your own CA certificate in the Trusted Root Store in an App Service Environment (ASE), which is a single-tenant environment in App Service. (The Free, Basic, Standard, and Premium App Service Plans are all multi-tenant, and the Isolated Plans are single tenant.)

    As you indicated, yes when an app hosted on Azure App Service, tries to connect to a remote endpoint over SSL, it is important that the certificate on remote endpoint service is issued by a Trusted Root CA. If the certificate on the remote service is a self-signed certificate or a private CA certificate, then it will not be trusted by the instance hosting your app and the SSL handshake will fail with the error.

    So, in this case, there are two solutions:

    1.Use a certificate that is issued by one of the Trusted Root Certificate Authorities in App Service on the remote server.
    2.If the remote service endpoint certificate could not be changed or there is a need to use a private CA certificate, host your app on an App Service Environment (ASE) and load your own CA certificate in the Trusted Root Store

    Checkout this doc for more details on this - Root CA on App Service

    --We have feedback on this - Support for private intermediate CA – you may wish to upvote.

    Yes, I understand about the cost factor for App Gateway, just to highlight, the App Gateway is a regional service capable of hosting up to 100 endpoints. It would be one App Gateway per region per 100 sites behind the reverse proxy.

    The production-recommended solution is to configure Application Gateway and App Service to not override the hostname. Kindly see this doc - Preserve the original HTTP host name between a reverse proxy and its back-end web application

    --Please be assured that I have relayed your feedback internally to our product engineering team. Thanks for your valuable feedback.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful