An alternative to Let’s Encrypt for Azure Web Apps

, 2 minutes to read

The con­fig­ur­ing of Let’s En­crypt cer­tifi­cates for Azure Web Apps was al­ways a pain. One would ex­pect a sim­ple sin­gle-click so­lu­tion. It took four years un­til Mi­crosoft de­liv­ered this fea­ture. It is named App Ser­vice Man­aged Cer­tifi­cates and it will is­sue a cer­tifi­cate for your cus­tom do­mains at no cost. This fea­ture is avai­l­able for cus­tomers with Ba­sic App Ser­vice Plan and above. Naked do­mains or wild­cards are not sup­ported.

Each cer­tifi­cate will be valid for six months, and about a month be­fore the cer­tifi­cate’s ex­pi­ra­tion date, App Ser­vice will re­new the cer­tifi­cate and update cer­tifi­cate bind­ing.

How to configure managed certificate

In the Azure Por­tal, open your web app. Choose TLS/SSL set­t­ings from the left nav­i­ga­tion.


Se­lect the Pri­vate Key Cer­tifi­cates tab.


And fi­nally click the Cre­ate App Ser­vice Man­aged Cer­tifi­cate but­ton.


Once the por­tal suc­cess­fully cre­ated your App Ser­vice Man­aged cer­tifi­cate, you’ll see the cer­tifi­cate in the Pri­vate Key Cer­tifi­cates list. Se­lect the Bind­ings tab and as­so­ciate your cer­tifi­cate with your do­main.

Certification authority

Free cer­tifi­cates are is­sued by Dig­iCert. Some top-level do­mains must ex­plic­itly al­low this au­thor­ity by cre­at­ing a CAA do­main record with the value: 0 is­sue dig­icert.com.

The cer­tifi­cate will be listed in public logs. From time to time, you should search for cer­tifi­cates that have been is­sued for your do­main, for ex­am­ple by crt.sh tool. If you find a fraud cer­tifi­cate is­sued for your do­main, re­port re­spec­tive CA and ad­dress it im­me­di­ately.

The of­fer­ing for App Ser­vice Man­aged Cer­tifi­cates is cur­rently in pre­view. For ad­di­tional ref­er­ence, see the doc­u­men­ta­tion.