RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl below:

Secure Your Domain with TLS/SSL - Azure App Service

Important

Starting July 28, 2025, changes to App Service Managed Certificates (ASMC) will impact how certificates are issued and renewed in certain scenarios. While most customers donât need to take action, we recommend reviewing our ASMC detailed blog post for more information.

This article shows you how to provide security for the custom domain in your Azure App Service app or function app by creating a certificate binding. When you're finished, you can access your App Service app at the https:// endpoint for your custom Domain Name System (DNS) name. An example is https://www.contoso.com.

Prerequisites

Scale up your App Service app to one of the supported pricing tiers: Basic, Standard, or Premium.
Map a domain name to your app or buy and configure it in Azure.

Add the binding

In the Azure portal:

On the left pane, select App Services > <app-name>.
On the left pane of your app, select Custom domains.
Next to the custom domain, select Add binding.
If your app already has a certificate for the selected custom domain, you can select it in Certificate. If not, you must add a certificate by using one of the selections in Source:
- Create App Service Managed Certificate: Let App Service create a managed certificate for your selected domain. This option is the easiest. For more information, see Create a free managed certificate.
- Import App Service Certificate: In App Service Certificate, select the App Service certificate that you purchased for your selected domain.
- Upload certificate (.pfx): Follow the workflow at Upload a private certificate to upload a Personal Information Exchange file (PFX) certificate from your local machine and specify the certificate password.
- Import from Key Vault: Choose Select key vault certificate and select the certificate in the dialog.
In TLS/SSL type, select either SNI SSL or IP based SSL:
- SNI SSL: You can add multiple Server Name Indication (SNI) Secure Sockets Layer (SSL) bindings. This option allows multiple Transport Layer Security (TLS)/SSL certificates to help secure multiple domains on the same IP address. Most modern browsers (including Microsoft Edge, Chrome, Firefox, and Opera) support SNI. (For more information, see Server Name Indication.)
- IP based SSL: You can add only one IP SSL binding. This option allows only one TLS/SSL certificate to help secure a dedicated public IP address. After you configure the binding, follow the steps in Remap records for IP-based SSL. IP-based SSL is supported only in the Standard tier or higher.
When you add a new certificate, select Validate to validate the new certificate.
Select Add.

After the operation is complete, the custom domain's TLS/SSL state is changed to Secured.

A Secured state in Custom domains means that a certificate provides security. App Service doesn't check if the certificate is self-signed or expired, which can also cause browsers to show an error or warning.

Remap records for IP-based SSL

This step is needed only for IP-based SSL. For an SNI SSL binding, skip to Test HTTPS.

There are potentially two changes that you need to make:

By default, your app uses a shared public IP address. When you bind a certificate with IP SSL, App Service creates a new, dedicated IP address for your app. If you mapped an A record to your app, update your domain registry with this new, dedicated IP address.

Your app's Custom domain page is updated with the new, dedicated IP address. Copy this IP address, and then remap the A record to this new IP address.
If you have an SNI SSL binding to <app-name>.azurewebsites.net, remap any CNAME mapping to point to sni.<app-name>.azurewebsites.net instead. (Add the sni prefix.)

Test HTTPS

Browse to https://<your.custom.domain> in various browsers to verify that your app appears.

Your application code can inspect the protocol via the x-appservice-proto header. The header has a value of http or https.

If your app gives you certificate validation errors, you're probably using a self-signed certificate. If that's not the case, you probably left out intermediate certificates when you exported your certificate to the .pfx file.

Frequently asked questions How do I make sure that the app's IP address doesn't change when I make changes to the certificate binding?

Your inbound IP address can change when you delete a binding, even if that binding is IP SSL. This behavior is especially important when you renew a certificate that's already in an IP SSL binding. To avoid a change in your app's IP address, follow these steps:

Upload the new certificate.
Bind the new certificate to the custom domain that you want without deleting the old one. This action replaces the binding instead of removing the old one.
Delete the old certificate.

Can I disable the forced redirect from HTTP to HTTPS?

By default, App Service forces a redirect from HTTP requests to HTTPS. To disable this behavior, see Configure general settings.

How can I change the minimum TLS versions for the app?

Your app allows TLS 1.2 by default. Industry standards such as PCI DSS recommend this TLS level. To enforce different TLS versions, see Configure general settings.

How do I handle TLS termination in App Service?

In App Service, TLS termination happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests. If your app logic needs to check if the user requests are encrypted, inspect the X-Forwarded-Proto header.

Language-specific configuration guides, such as the Linux Node.js configuration guide, show how to detect an HTTPS session in your application code.

Automate with scripts Azure CLI

Bind a custom TLS/SSL certificate to a web app

PowerShell

$fqdn="<Replace with your custom domain name>"
$pfxPath="<Replace with path to your .PFX file>"
$pfxPassword="<Replace with your .PFX password>"
$webappname="mywebapp$(Get-Random)"
$location="West Europe"

# Create a resource group.
New-AzResourceGroup -Name $webappname -Location $location

# Create an App Service plan in Free tier.
New-AzAppServicePlan -Name $webappname -Location $location `
-ResourceGroupName $webappname -Tier Free

# Create a web app.
$webapp = New-AzWebApp -Name $webappname -Location $location -AppServicePlan $webappname `
-ResourceGroupName $webappname

Write-Host "Sign in to your domain provider's website and configure the following records:"
Write-Host "A CNAME record that maps $fqdn to $webappname.azurewebsites.net"
Write-Host "A TXT record that maps asuid.$fqdn to the domain verification ID $($webapp.CustomDomainVerificationId)"
Read-Host "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Upgrade App Service plan to Basic tier (minimum required by custom SSL certificates)
Set-AzAppServicePlan -Name $webappname -ResourceGroupName $webappname `
-Tier Basic

# Add a custom domain name to the web app. 
Set-AzWebApp -Name $webappname -ResourceGroupName $webappname `
-HostNames @($fqdn,"$webappname.azurewebsites.net")

# Upload and bind the SSL certificate to the web app.
New-AzWebAppSSLBinding -WebAppName $webappname -ResourceGroupName $webappname -Name $fqdn `
-CertificateFilePath $pfxPath -CertificatePassword $pfxPassword -SslState SniEnabled

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4