Bind a custom TLS/SSL certificate to an App Service app using CLI

This sample script creates an app in App Service with its related resources, then binds the TLS/SSL certificate of a custom domain name to it. For this sample, you need:

  • Access to your domain registrar's DNS configuration page.
  • A valid .PFX file and its password for the TLS/SSL certificate you want to upload and bind.

If you don't have an Azure subscription, create an Azure free account before you begin.

Prerequisites

Sample script

Launch Azure Cloud Shell

The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.

To open the Cloud Shell, just select Try it from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to https://shell.azure.com.

When Cloud Shell opens, verify that Bash is selected for your environment. Subsequent sessions will use Azure CLI in a Bash environment, Select Copy to copy the blocks of code, paste it into the Cloud Shell, and press Enter to run it.

Sign in to Azure

Cloud Shell is automatically authenticated under the initial account signed-in with. Use the following script to sign in using a different subscription, replacing <Subscription ID> with your Azure Subscription ID. If you don't have an Azure subscription, create an Azure free account before you begin.

subscription="<subscriptionId>" # add subscription here

az account set -s $subscription # ...or use 'az login'

For more information, see set active subscription or log in interactively

To create the web app

# Bind a custom TLS/SSL certificate to an App Service app
# set -e # exit if error
# Variable block
let "randomIdentifier=$RANDOM*$RANDOM"
location="East US"
resourceGroup="msdocs-app-service-rg-$randomIdentifier"
tag="configure-ssl-certificate-webapp-only.sh"
appServicePlan="msdocs-app-service-plan-$randomIdentifier"
webapp="msdocs-web-app-$randomIdentifier"

# Create a resource group.
echo "Creating $resourceGroup in "$location"..."
az group create --name $resourceGroup --location "$location" --tag $tag

# Create an App Service plan in Basic tier (minimum required by custom domains).
echo "Creating $appServicePlan"
az appservice plan create --name $appServicePlan --resource-group $resourceGroup --sku B1

# Create a web app.
echo "Creating $webapp"
az webapp create --name $webapp --resource-group $resourceGroup --plan $appServicePlan

# Copy the result of the following command into a browser to see the static HTML site.
site="http://$webapp.azurewebsites.net"
echo $site
curl "$site"

Map your prepared custom domain name to the web app

  1. Create the following variable containing your fully qualified domain name.

    fqdn=<Replace with www.{yourdomain}>
    
  2. Configure a CNAME record that maps your fully qualified domain name to your web app's default domain name ($webappname.azurewebsites.net).

  3. Map your domain name to the web app.

    az webapp config hostname add --webapp-name $webappname --resource-group myResourceGroup --hostname $fqdn
    
    echo "You can now browse to http://$fqdn"
    

Upload and bind the SSL certificate

  1. Create the following variable containing your pfx path and password.

    pfxPath=<replace-with-path-to-your-.PFX-file>
    pfxPassword=<replace-with-your=.PFX-password>
    
  2. Upload the SSL certificate and get the thumbprint.

    thumbprint=$(az webapp config ssl upload --certificate-file $pfxPath --certificate-password $pfxPassword --name $webapp --resource-group $resourceGroup --query thumbprint --output tsv)
    
  3. Bind the uploaded SSL certificate to the web app.

    az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI --name $webapp --resource-group $resourceGroup
    
    echo "You can now browse to https://$fqdn"
    

Clean up resources

Use the following command to remove the resource group and all resources associated with it using the az group delete command - unless you have an ongoing need for these resources. Some of these resources may take a while to create, as well as to delete.

az group delete --name $resourceGroup

Sample reference

This script uses the following commands. Each command in the table links to command specific documentation.

Command Notes
az group create Creates a resource group in which all resources are stored.
az appservice plan create Creates an App Service plan.
az webapp create Creates an App Service app.
az webapp config hostname add Maps a custom domain to an App Service app.
az webapp config ssl upload Uploads a TLS/SSL certificate to an App Service app.
az webapp config ssl bind Binds an uploaded TLS/SSL certificate to an App Service app.

Next steps

For more information on the Azure CLI, see Azure CLI documentation.

Additional App Service CLI script samples can be found in the Azure App Service documentation.