Microsoft has finally created an option for free HTTPS certificates in Azure App Service, that is fully managed by them. Recently announced at Ignite 2019, we can now enable HTTPS for our own domains for free on Azure App Service!

How is this different from other options

This offering differs from existing options for HTTPS in that it is missing some of the features. Using a third-party certificate usually has the downside of having to do certificate management, rotation etc. You can also buy App Service Certificates from Azure, which have more features than the free offering, but do cost money of course.

Then there is of course Let's Encrypt, which this blog uses. But Let's Encrypt's integration in Azure is not very good. It's a bit of a mess where you kinda just hope all the components work every time to renew your certificates. I have had multiple times within the couple years that I have used it when the renewal didn't work for one reason or another. So having a managed certificate is certainly a nice thing.

So what are those missing features of this new free offering?

  • No wildcards
  • No apex domains
  • Cannot export the certificate
  • Can only enable if the custom domain is already added with an A / CNAME record (not TXT, so no live migrations to this)

The capability is in preview, so some of these limitations may be removed. In particular I'd like to see support for apex domains. I cannot use this feature on my blog since it is on an apex domain (joonasw.net instead of a sub-domain). A lot of applications we build for clients could use this though as those are often on sub-domains.

Enabling a free certificate

To test this capability, I first tried to enable it on one of my existing App Services. It already had a custom domain and an expired Let's Encrypt certificate. The renewal had gotten broken because I moved the app to another subscription.

I removed the Let's Encrypt extension, removed the existing TLS/SSL binding from the domain and went to add a certificate through the Create App Service Managed Certificate button (found under TLS/SSL settings -> Private Key Certificates).

But it did not work :(

Trying to add to existing leads to 504 errors

I also tried it with a new App Service, but got the same errors:

Again, failed with 504 timeout errors

504 Gateway Timeout errors for some reason from the API. I sent a support ticket, but got notified on Twitter that the issue should be fixed today :)

So, let's see the successful steps to adding one of these certificates:

Find the Create App Service Managed Certificate button in TLS/SSL settings

It's pretty easy right? Just select the domain and click Create:

Domain selected, Create button shown under it

And done, the certificate is valid for 6 months:

Successfully created certificate with validity time of 6 months

Well, almost done. Still have to add the TLS/SSL binding:

Adding TLS binding connecting the custom domain name to the newly added certificate

And now we are done! Here's the certificate chain as shown by Chrome:

Certification path showing the certificate and the GeoTrust intermediary and DigiCert root certficates above it

So the certificates come from DigiCert behind the scenes.

This is definitely a capability that will get used in projects later! A great step to securing the Web as well 👏