Create and assign a wildcard App Service Certificate

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Deploy To Azure Deploy To Azure US Gov Visualize

For more details on creating an App Service Certificate see How to Create an App Service Certificate.

In order to deploy this template, you need to have the following resources:

  1. A Key Vault (specified in 'existingKeyVaultId' parameter)
  2. An App Service App(specified in 'existingAppName' parameter)
  3. An App Service Domain (specified in 'rootHostName' parameter)

By default, 'Microsoft.CertificateRegistration' and 'Microsoft.Web' RPs don't have access to the Key Vault specified in the template hence you need to authorize these RPs by executing the following PowerShell commands before deploying the template:

Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName f3c21649-0979-4721-ac85-b0216b2cf413 -PermissionsToSecrets get,set,delete
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get

ServicePrincipalName parameter represents these RPs in user tenant and will remain same for all Azure subscriptions. This is a onetime operation. Once you have a configured a Key Vault property, you can use it to store as many App Service Certificates as you want without executing these PowerShell commands again. You can go through the Key Vault documentation for more information:

The Web App and domain resources need to be in the same resource group. The Web App should have 'rootHostName' and www subdomain assigned as custom domains.

Tags: Microsoft.CertificateRegistration/certificateOrders, Microsoft.DomainRegistration/domains/domainOwnershipIdentifiers, Microsoft.CertificateRegistration/certificateOrders/certificates, Microsoft.Web/certificates, Microsoft.Web/sites