Azure Managed Certificates are a game-changer for secure apps. They eliminate the need for manual certificate management, which can be a tedious and error-prone process.
With Azure Managed Certificates, you can automate the issuance, renewal, and revocation of SSL/TLS certificates, ensuring your app remains secure and trusted by users.
This feature is available for Azure App Service and Azure Functions, making it a convenient solution for developers who need to secure their web applications and APIs.
Azure Managed Certificates are also integrated with Azure Key Vault, allowing you to store and manage your certificates securely and easily.
Certificate Management
Certificate management in Azure is a straightforward process. You can manage certificates from the Azure Portal by browsing to your web app, clicking on the "TLS/SSL settings" section, and selecting the "Private Key Certificates (.pfx)" tab.
To create a free managed certificate, you'll need to meet the prerequisites, such as having a custom domain and an A record pointing to your web app's IP address. Free certificates are issued by DigiCert, and you must explicitly allow DigiCert as a certificate issuer by creating a CAA domain record with the value: 0 issue digicert.com.
You can upload up to 1000 public certificates per App Service Plan, and each uploaded certificate is only accessible by the app it's uploaded to. To renew an uploaded certificate, you'll need to follow a specific sequence of steps to avoid downtime for your app due to HTTPS errors.
Managing Certs
Managing certs is a crucial part of certificate management. You can create a free managed certificate in the Azure portal, which is a turn-key solution for securing your custom DNS name in App Service. This certificate is fully managed by App Service and is automatically renewed every six months.
To create a free managed certificate, you need to meet the prerequisites for your app, which include having an A record pointing to your web app's IP address and being on apps that are publicly accessible. You also need to create a CAA domain record with the value 0 issue digicert.com for some domains.
Free certificates are issued by DigiCert, and you can view the newly created certificate in the resource group after clicking the "show hidden items" checkbox. It will have a type of "cert" and be named after the DNS.
Here are the limitations of free certificates:
- Doesn't support wildcard certificates.
- Doesn't support usage as a client certificate by using certificate thumbprint, which is planned for deprecation and removal.
- Doesn't support private DNS.
- Isn't exportable.
- Isn't supported in an App Service Environment.
- Only supports alphanumeric characters, dashes (-), and periods (.).
- Only custom domains of length up to 64 characters are supported.
You can also upload a public certificate to an app, which is only accessible by the app it's uploaded to. Public certificates must be uploaded to each individual web app that needs access.
Renew Uploaded Item
To avoid downtime for your app due to HTTPS errors, it's essential to renew an uploaded certificate carefully.
If you're renewing a certificate that's already in an IP-based binding, deleting the binding might change your app's IP address.
To prevent this, upload the new certificate first.
Then, follow these steps to update the certificate binding without changing your app's IP address:
- Go to the Custom domains page for your app, select the ... button, and then select Update binding.
- Select the new certificate and then select Update.
- Delete the existing certificate.
This sequence ensures that your app's IP address remains unchanged, and your users don't experience any disruptions.
Azure Key Vault
Azure Key Vault is a centralized location to store and manage your SSL certificates securely. It simplifies operations and provides a single point of access for all your certificates.
You can import a certificate from Key Vault into App Service if you meet the requirements. This involves selecting the subscription, key vault, and certificate from a list, and then validating and adding the certificate.
Azure Key Vault offers several benefits when used with App Services, including storing all SSL certificates securely, creating new certificate versions, and assigning specific permissions to applications.
Here are some benefits of using Azure Key Vault with App Services:
- All SSL certificates can be stored securely and managed from a centralized location.
- A new certificate version can be created for all assigned websites using Azure Key Vault.
- Specific permissions, such as Get, List, Update, Create, Import, Delete, Recover, Backup, and Restore can be assigned to applications for access control.
- The solution can be managed from the Azure Portal with no/minimal coding.
To deploy an Azure Web App certificate using Azure Key Vault, you need to follow these steps. First, create an App Service plan that supports TLS/SSL bindings or enables client certificates. Then, create a system-assigned identity for your app to access the certificates in Azure Key Vault.
You'll also need to create an Azure Key Vault in the same resource group as your App Service app, and generate and download a pfx file containing the public key file, SSL certificate file, and associated private key file.
App Service Configuration
To configure App Service for managed certificates, you'll need to import a certificate from your vault to your app. This involves selecting the key vault that has the certificate you want to import, choosing a PKCS12 certificate from the list, and then validating and adding it to the Bring your own certificates list.
To securely bind a custom domain with this certificate, you'll still need to create a certificate binding. This is done by following the steps in Secure a custom DNS name with a TLS/SSL binding in Azure App Service.
Alternatively, you can use the free App Service Managed Certificate, which is a turn-key solution for securing custom DNS names in App Service. This certificate can be imported into the App Service TLS/SSL settings and confirmed to be working by checking that the site opens with HTTPS.
Outbound Calls from App
Outbound calls from your App can be a bit tricky to set up, but don't worry, I've got the lowdown.
You can make outbound calls using a private CA client certificate from your app, but only if you're using a Windows container app in a multi-tenant App Service.
This is supported in App Service Environment version 3, which is a game-changer for code-based and container-based apps.
For more information on App Service multi-tenant vs. single-tenant, check out the comparison between App Service Environment v3 and App Service public multitenant.
Configure Authentication Binding Policy
The authentication binding policy determines the strength of authentication to either a single factor or multifactor. It's a crucial step in configuring your App Service.
You can change the default value from single factor to multifactor and configure custom policy rules by mapping to issuer Subject, policy OID or by combining Issuer Subject and Policy OID fields in the certificate. This allows for more granular control over authentication.
The protection level attribute has a default value of Single-factor authentication. Selecting Multifactor authentication changes the default value to MFA.
To configure custom authentication binding rules, you can follow the relevant Microsoft documentation. This will give you more flexibility in controlling the issuance of MFA claims for Microsoft Entra ID CBA authentication.
You can create multiple rules to map certificate attributes, such as Issuer, Policy OID, or Issuer and Policy OID, to a value and select default protection level for that rule.
Here are the steps to follow:
- The protection level attribute has a default value of Single-factor authentication. Selecting Multifactor authentication changes the default value to MFA.
- Select the Low affinity binding here.
- For now, select PrincipalName as the preferred binding.
Configure Username Binding Policy
To configure a username binding policy, you create a username binding by selecting one of the X.509 certificate fields to bind with one of the user attributes.
You'll need to choose either the userPrincipalName or the OnPremisesUserPrincipalName field to map to. Selecting the PrincipalName mapping field can often resolve mapping issues that the userPrincipalName field can't.
The CertificateUserIds property determines how your user accounts are configured to determine your mapping strategy. You can find this under the Authorization Info field.
Using the PrincipalName mapping field can be particularly useful if you have a complex certificate mapping strategy. It's worth reviewing your Certificate mappings carefully to determine the best approach.
Here's a summary of the options:
By following these steps and considering your certificate mapping strategy, you can effectively configure a username binding policy for your App Service.
Enable CBA on Tenant
To enable Certificate-Based Authentication (CBA) on your tenant, you'll need to sign in to the Microsoft Entra admin center as an Authentication Policy Administrator. This will give you the necessary permissions to make changes.
You'll then need to browse to Protection > Authentication methods > Certificate-Based Authentication and select Certificate-based authentication.
Next, under Enable and Target, select Enable to turn on CBA for your tenant. You can choose to enable it for all users or select specific groups by clicking Add groups.
For now, set this to Select groups and add your target group below. This will allow you to target specific users or groups for CBA.
Frequently Asked Questions
What is managed SSL?
Managed SSL refers to the process of overseeing and maintaining the entire lifecycle of SSL certificates, from acquisition to expiration. This includes tracking, deployment, and renewal to ensure secure online operations
Sources
- https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate
- https://samlearnsazure.blog/2020/12/09/using-free-managed-certificates-in-azure-web-apps/
- https://www.apps4rent.com/blog/automate-ssl-certificates-updates-with-app-services-azure-key-vault/
- https://community.dynamics.com/blogs/post/
- https://www.idmanagement.gov/implement/cba-azure/
Featured Images: pexels.com