A story about ssl certificates and their usage in azure webapps
The purpose of this is article is to describe my latest laboration with ssl-certificates in general and specifically the usage of them in azure, but lets start with some background.
I had my custom domain added to azure by following the procedure of adding dns records to my domain and import the domain for usage in my azure web app.
To have a secure website we want to have encrytpted communictation for our website to avoid exposure of sensitive data within the same network.
In azure you have https/ssl enabled by default for web-applications, with help of their domain azurewebsites.net, so this is not something that you need to care about as long as you dont add your custom domain.
But when we add our custom domain we need to bind a certificate to our custom domain and this is something that azure has built into their platform by navigating to App Service Certificates / Create. Unfortunately this costs a bit (for a smaller app). The price of today in azure is between 70 $( for single domain) and 300 $(for domain and all subdomains) per year.
So is there any way to avoid this cost for my internal website but still use my custom domain? For the only purpose of showing that I am hosting a serious website.
I wanted to see how far I got with creating my own self signed certificate. Which caused me more headache then I could imagine.
I have been generating some certificates before with help of IIS and openssl. And it was where I ended up this time as well after some googling.
There are really easy and good guides out there to generate self signed certificates with openssl.
I mostly use Windows and to run openssl commands you need linux. To do this I can recommend Windows Subsystem for Linux and install Ubuntu to easily run it in Windows when needed. And to browse the linux filesystem in windows simply type (to navigate to your generated certificates):
explorer.exe .
To generate the certificate I first used this command which failed in the last step below (I had openssl version 1.1.0 was preinstalled):
req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crtopenssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt
Read this stackoverflow thread for more details of command usage.
Then I went to my web application in azure and clicked upload certificate and it seems to work as it should look like below.
But when trying to add the binding in the next step I got the error below.
Failed to add SSL binding. The certificate with thumbprint 'B65EA5ED6534A4233257062EE7F13E89701C643E' is invalid for SSL. The Enhanced Key Usage must be present and must contain Server Authentication (1.3.6.1.5.5.7.3.1).
To be able to run the command I had to set “key usage” to “server authentiction”. So I updated my ubuntu os with openssl 3 by following this guide. Then I could add the extra parameter to specify server authentication. I had openssl 1.1.0 installed which didnt have support for -addext parameter (which was added in OpenSSL 1.1.1).
Working version after upgrading OpenSSL (after iis export):
req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt -addext "extendedKeyUsage=serverAuth"openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt
When trying to upload the generated certificate I ended up with another arror instead (the password is incorrect, or the certificate is not valid)
I managed to get rid of the error by importing the certificate to IIS on windows and then exporting it like below.
After added our self signed certificate and binded it to our webapp, we still will receive an error similar to below (firefox):
The reason for this is that the browser has a list of trusted certificate authorities, for example see a list of mozillas trusted authorities here.
If you still want to use your self signed certificate and be able to allow it in the browser it can be done by adding the certificate as trusted in preferences (for firefox):
In my case I was building an internal application and I had no need to show the real url to the user, even though I wanted to have an easy url to navigate to. So in the end I decided to just do a simple redirect from the original url to the internal azure website. The way you can achive this in a .net application by adding the following to your. Since the azurewebsites.net domains already have cerificate set it serves the purpose to avoid the error but still be able to navigate through the custom domain.
<system.webServer>
<rewrite>
<rules>
<rule name="redirect-rule-name" enabled="true">
<match url="^(.*)$" />
<conditions>
<add input="{HTTP_HOST}" pattern="^subdomain\.domain\.com$" />
</conditions>
<action type="Redirect" url="https://redirect-domain.azurewebsites.net/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
Source list: