Azure Managed Certificates for Secure Apps

Azure Managed Certificates are a game-changer for secure apps. They eliminate the need for manual certificate management, which can be a tedious and error-prone process.

With Azure Managed Certificates, you can automate the issuance, renewal, and revocation of SSL/TLS certificates, ensuring your app remains secure and trusted by users.

This feature is available for Azure App Service and Azure Functions, making it a convenient solution for developers who need to secure their web applications and APIs.

Azure Managed Certificates are also integrated with Azure Key Vault, allowing you to store and manage your certificates securely and easily.

Certificate management in Azure is a straightforward process. You can manage certificates from the Azure Portal by browsing to your web app, clicking on the "TLS/SSL settings" section, and selecting the "Private Key Certificates (.pfx)" tab.

To create a free managed certificate, you'll need to meet the prerequisites, such as having a custom domain and an A record pointing to your web app's IP address. Free certificates are issued by DigiCert, and you must explicitly allow DigiCert as a certificate issuer by creating a CAA domain record with the value: 0 issue digicert.com.

You can upload up to 1000 public certificates per App Service Plan, and each uploaded certificate is only accessible by the app it's uploaded to. To renew an uploaded certificate, you'll need to follow a specific sequence of steps to avoid downtime for your app due to HTTPS errors.

Managing certs is a crucial part of certificate management. You can create a free managed certificate in the Azure portal, which is a turn-key solution for securing your custom DNS name in App Service. This certificate is fully managed by App Service and is automatically renewed every six months.

To create a free managed certificate, you need to meet the prerequisites for your app, which include having an A record pointing to your web app's IP address and being on apps that are publicly accessible. You also need to create a CAA domain record with the value 0 issue digicert.com for some domains.

Free certificates are issued by DigiCert, and you can view the newly created certificate in the resource group after clicking the "show hidden items" checkbox. It will have a type of "cert" and be named after the DNS.

Here are the limitations of free certificates:

You can also upload a public certificate to an app, which is only accessible by the app it's uploaded to. Public certificates must be uploaded to each individual web app that needs access.

To avoid downtime for your app due to HTTPS errors, it's essential to renew an uploaded certificate carefully.

If you're renewing a certificate that's already in an IP-based binding, deleting the binding might change your app's IP address.

To prevent this, upload the new certificate first.

Then, follow these steps to update the certificate binding without changing your app's IP address:

This sequence ensures that your app's IP address remains unchanged, and your users don't experience any disruptions.

Azure Key Vault is a centralized location to store and manage your SSL certificates securely. It simplifies operations and provides a single point of access for all your certificates.

You can import a certificate from Key Vault into App Service if you meet the requirements. This involves selecting the subscription, key vault, and certificate from a list, and then validating and adding the certificate.

Azure Key Vault offers several benefits when used with App Services, including storing all SSL certificates securely, creating new certificate versions, and assigning specific permissions to applications.

Here are some benefits of using Azure Key Vault with App Services:

To deploy an Azure Web App certificate using Azure Key Vault, you need to follow these steps. First, create an App Service plan that supports TLS/SSL bindings or enables client certificates. Then, create a system-assigned identity for your app to access the certificates in Azure Key Vault.

You'll also need to create an Azure Key Vault in the same resource group as your App Service app, and generate and download a pfx file containing the public key file, SSL certificate file, and associated private key file.

To configure App Service for managed certificates, you'll need to import a certificate from your vault to your app. This involves selecting the key vault that has the certificate you want to import, choosing a PKCS12 certificate from the list, and then validating and adding it to the Bring your own certificates list.

To securely bind a custom domain with this certificate, you'll still need to create a certificate binding. This is done by following the steps in Secure a custom DNS name with a TLS/SSL binding in Azure App Service.

Alternatively, you can use the free App Service Managed Certificate, which is a turn-key solution for securing custom DNS names in App Service. This certificate can be imported into the App Service TLS/SSL settings and confirmed to be working by checking that the site opens with HTTPS.

Outbound calls from your App can be a bit tricky to set up, but don't worry, I've got the lowdown.

You can make outbound calls using a private CA client certificate from your app, but only if you're using a Windows container app in a multi-tenant App Service.

This is supported in App Service Environment version 3, which is a game-changer for code-based and container-based apps.

For more information on App Service multi-tenant vs. single-tenant, check out the comparison between App Service Environment v3 and App Service public multitenant.

The authentication binding policy determines the strength of authentication to either a single factor or multifactor. It's a crucial step in configuring your App Service.

You can change the default value from single factor to multifactor and configure custom policy rules by mapping to issuer Subject, policy OID or by combining Issuer Subject and Policy OID fields in the certificate. This allows for more granular control over authentication.

The protection level attribute has a default value of Single-factor authentication. Selecting Multifactor authentication changes the default value to MFA.

To configure custom authentication binding rules, you can follow the relevant Microsoft documentation. This will give you more flexibility in controlling the issuance of MFA claims for Microsoft Entra ID CBA authentication.

You can create multiple rules to map certificate attributes, such as Issuer, Policy OID, or Issuer and Policy OID, to a value and select default protection level for that rule.

Here are the steps to follow:

To configure a username binding policy, you create a username binding by selecting one of the X.509 certificate fields to bind with one of the user attributes.

You'll need to choose either the userPrincipalName or the OnPremisesUserPrincipalName field to map to. Selecting the PrincipalName mapping field can often resolve mapping issues that the userPrincipalName field can't.

The CertificateUserIds property determines how your user accounts are configured to determine your mapping strategy. You can find this under the Authorization Info field.

Using the PrincipalName mapping field can be particularly useful if you have a complex certificate mapping strategy. It's worth reviewing your Certificate mappings carefully to determine the best approach.

Here's a summary of the options:

By following these steps and considering your certificate mapping strategy, you can effectively configure a username binding policy for your App Service.

To enable Certificate-Based Authentication (CBA) on your tenant, you'll need to sign in to the Microsoft Entra admin center as an Authentication Policy Administrator. This will give you the necessary permissions to make changes.

You'll then need to browse to Protection > Authentication methods > Certificate-Based Authentication and select Certificate-based authentication.

Next, under Enable and Target, select Enable to turn on CBA for your tenant. You can choose to enable it for all users or select specific groups by clicking Add groups.

For now, set this to Select groups and add your target group below. This will allow you to target specific users or groups for CBA.