Automate your TLS/SSL certificate renewals in Azure

Certificate renewals can be one of the most annoying part of operating and supporting a web based application. Luckily, Microsoft Azure has recently added the ability (with godaddy's help), to automatically renew and purchase certificates and apply them to your web server.

In this example we use TLS termination to pass traffic from the Azure load balancer to the docker compose/containerized application on the back end.

To get started, first login to your Azure account and make sure you have an app service setup or go ahead and set one up. Next search at the top for "certificate" and navigate to the "App Service Certificates" page by clicking the link

On the top left, click '+ Add' to begin creating a new certificate

Fill in the name of the certificate (this can be anything you want, it's just a display name that only you will see), your naked host name (example.com - not www or any subdomain), the resource group you want to link this certificate to and subscription. Everything else can be left as is. Then click 'Create' at the bottom

Once you click create, the certificate will be automatically purchased from GoDaddy through Azure's API. Once this is completed you'll need to add the certificate to the Azure Key Vault.

To add to azure key vault, select your certificate, then on the left side of the screen select 'Certificate Configuration' then click 'Step 1:Store' on the right. You can create a new key vault or select an existing one to store the certificate in.

One this is done, you'll need to complete 'Step 2: Verify' so click this button on the right next. There are 3 different ways you can do this (if you've already verified the domain you're linking this certificate too then you can just select CNAME and you won't need to do anything else). If you have an email already linked to the domain, then sending an email from azure to that email is the easier way to verify.

After you've verified your domain ownership in Azure, you simply need to assign the certificate to your domain. Go back to your app service and then click TLS/SSL settings on the left side of the screen

Click 'Import Key Vault Certificate' and then select the cert that you just added to key vault.

Now for the last (and easiest step), to turn on automatic renewals. Select your app service certificate again by searching certificate at the top, and then click 'Auto Renew Settings' on the left side of the screen. On the right side of the screen set 'Auto Renew App Service Certificate' to 'On.'

And that's it, no more manually renewing and installing certificates for your applications!!