I have a bought a azure app service certificate for my root domain. Can I use the same certificate for my sub domains?
Depends on the type of certificate you create, a standard certificate or a wildcard certificate. If you select standard, you get a certificate that secures both the root domain and the www subdomain. If you select wildcard you get all subdomains.
https://learn.microsoft.com/en-us/azure/app-service/web-sites-purchase-ssl-web-site
Related
I have a purchased a domain name from Google domains. I need to use this domain name for my site hosted in IIS. How to add my domain in IIS.
How to export my SSL certificate .pks file requied by IIS for importing SSL certificate.
Open your IIS manager, select your site, click Bindings… on the right, and click the Edit… button, then enter the domain name you purchased in the Host name blank box, and click OK.
To enable HTTPS on your web server, you need to obtain a certificate and bind it to your website.
You can try creating a self-signed certificate for testing.
Select the server node and select the IIS->Server Certificates feature
click Create Self-Signed Certificate to create a new certificate.
Then try adding the new binding to your site. In the Type box, choose https instead of http, then choose a certificate in the SSL certificate combo box. Save the settings and then you can try to access your website using https.
You will get a warning that the site is not secure, but you can force your site content. To remove the warning, bind to your site with a certificate from a trusted certificate authority.
You can refer to this document for more information.
To generate .crt certificate for your domain from Google domains use letsencrypt.
There are many menthos to generate I have used
Crypt-LE.
And generate the .pks file and add the SSL certificate to IIS.
Based on the documentation I've read, the "Denied" status should only happen if the domain fails to verify.
But clearly the verification passed so I'm not sure what else to do.
Attempting to follow the sub-steps under the Assign step just leads to errors related to
the cert being in the "Denied" state still.
This happens when Domain verification for the certificate is not completed in 45 days causing the certificate to be in denied state. The Certificate will not be billed.
Suggestion is to delete the certificate and request a new certificate.
Also note that: For a Standard certificate, the certificate provider gives you a certificate for the requested top-level domain and its www subdomain (for example, contoso.com and www.contoso.com). However, beginning on December 1, 2021, a restriction is introduced on the App Service and the Manual verification methods. Both of them use HTML page verification to verify domain ownership. With this method, the certificate provider is no longer allowed to include the www subdomain when issuing, rekeying, or renewing a certificate.
The Domain and Mail verification methods continue to include the www subdomain with the requested top-level domain in the certificate.
see: FAQ SSL certificates for Web Apps and App Service Certificates
Check this official document: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal#import-an-app-service-certificate
In this case, the issue was not domain verification as stated in the other answer here and in the documentation, but was a misconfigured CAA record on the DNS.
For wildcard certs you need to have an
0 issuewild godaddy.com
record on the root domain - not on a star (*) domain.
I have just bought an SSL Certificate for my website from azure. when setting up a certificate under "Naked domain hostname" i entered the domain name WITHOUT "www".
Currently if i were to view my website with https://xyz.ca, it works just fine and it says it is secure, but if enter www.xyz.ca i do not see anything.
To atleast view the website with www.xyz.ca, i have removed HTTPS:// only request. However now this makes website un-secure.
Question
1. what will be the best way to make www.xyz.ca secure using the same certificate that i have bought?
2. if there is any other solution available, that will be fine too.
I am attaching some screenshots to understand better:
In fact a cert CAN support MANY domains. Now, whether this is something that you can add for free with the SSL provider you have chose is a different question. Certificate Subject Alternate Name(s) are what is used for this. For example the cert for this site allows stackexchange.com AND stackoverflow.com and a number of others and sub-domains too.
A valid SSL certificate must match the access FQDN domain name.
One Standard certificate only could be used for one FQDN domain name, such as www.xyz.ca while one WildCard certificate could be used for all like *.xyz.ca FQDN domain name, so usually we use the same WildCard certificate for all different services. More information about SSL Certificate Names
As the comment point it out, instead of buying one via the Azure Portal, you can get a free one via letsencrypt.org
Update
When you purchase an app service certificate in Azure for a root domain, by default, Azure supports hostname as a root domain name and www subdomain. You do not need to purchase another certificate. In this case, you already have two hostnames assigned to the site. You just bind the certificate for each. If you don't see the domain name(s) in the Hostname dropdown, try refreshing the browser page or change another browser.
In our Azure subscription, we have 3 apps: dev.myapp.com, test.myapp.com, prod.myapp.com (www.myapp.com, myapp.com).
Previously I just purchased a wildcard cert, and then converted it to PFX format and uploaded it.
But I see now that I can get an SSL cert directly from Azure, and save a bit of hassle. But I am wondering if I buy an S1 certificate, if I can use it with my subdomains, or if I need to buy the wildcard (which is quite expensive compared to getting it from another source).
I assume I need the wildcard, would just like to confirm.
sheamus,
I can confirm you'll have to buy a W1 Wild Card certificate: *.myapp.com.
A S1 Standard certificate will only cover your domain myapp.com (Upon submission the certificate will also be approved for www.myapp.com).
Also you can refer to the following Azure documentation:
Purchase, Store and Assign an SSL Certificate for your custom domain
If you need to secure multiple domain names, such as contoso.com,
www.contoso.com, and mail.contoso.com, then you can get a wildcard
certificate
You can either get the Single domain certificates or else you can go with the Wildcard SSL Certificates.
The Individual Single Domain SSL certificate will cost you low if you are going to buy from Comodo, but as it is for one domain you have to create the new CSR and Private Key for each domain. If you are wishing to secure one more app, you need to purchase a new SSL, New CSR & Private Key... This is really
But in the case of Wildcard SSL, the one CSR and Private Key will work for all your sub-domains. additionally, it will allow you to secure any number of sub-domains.
You can take either single domain SSL or Wildcard SSL certificate to secure sub domains.
If the time of the various SSL certificate management does not matter to you, but the price is important then go for a single domain SSL certiifcate, otherwise go for Wildcard SSL certificate which secures number of sub domains.
If have price concern for wildcard ssl certificate then go with comodo certificate authority resellers.
I used to run one of my websites (EyeDentity.Online) from a Windows VM on Azure. I had an SSL Certificate in IIS up to run it and all was well in the world.
Since I moved the Website to the Azure App Service and installed the SSL Certificate in Azure whenever I go to the Website for the first time in a browser session it tells me that the certificate is invalid.
It appears to quote the standard AzureWebsites.NET even though my certificate is bound to my website
How can I get this warning to go away as it may be scaring away users!
Things to check:
You must be on Standard or Premium level to bind to cert
Check SSL bindings section of Custom Domains and SSL blade to make sure you've
bound the domain to the right cert.
The description of the problem sounds like number 2 here. If you haven't changed this, then it will bind by default to the azurewebsites cert and not yours.
Some docs here: https://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/
Your cert is for azurewebsites.net and not EyeDentity.Online. You should get a wildcard cert for your domain name:
*.azurewebsites.net should be: *.eyedentity.online
ref: https://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/#1-get-an-ssl-certificate
"Before requesting an SSL certificate you must first determine which
domain names will be secured by the certificate. This will determine
what type of certificate you must obtain. If you just need to secure a
single domain name such as contoso.com or www.contoso.com a basic
certificate is sufficient. If you need to secure multiple domain
names, such as contoso.com, www.contoso.com, and mail.contoso.com,
then you can get a wildcard certificate, or a certificate with Subject
Alternate Name (subjectAltName)."