You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/configure-ssl-app-service-certificate.md
+43Lines changed: 43 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -59,6 +59,49 @@ Currently, App Service certificates aren't supported in Azure national clouds.
59
59
60
60
1. After the deployment is finished, select **Go to resource**.
61
61
62
+
#### Authorize App Service certificate to access Azure Key Vault
63
+
64
+
By default, the App Service certificate resource provider doesn't have access to your key vault. To store, renew, and rekey a certificate in key vault, you must authorize access for the resource provider (App Service certificate) to the key vault. You can grant access with role-based access control (RBAC) or access policy.
65
+
66
+
#### [RBAC permissions](#tab/rbac)
67
+
68
+
| Resource provider | Service principal app ID / assignee | Key Vault RBAC role |
The service principal app ID or assignee value is the ID for the App Service certificate resource provider. To learn how to authorize Key Vault permissions for the App Service certificate resource provider by using an access policy, see [Assign a Key Vault access policy](/azure/key-vault/general/assign-access-policy?tabs=azure-portal).
81
+
82
+
---
83
+
84
+
> [!NOTE]
85
+
> Don't delete these permissions from the key vault. If you do, App Service certificate can't store, renew, or rekey the certificate in key vault.
86
+
87
+
> [!IMPORTANT]
88
+
> The values in the table are application (client) IDs. If you grant the Key Vault Certificate User role by using infrastructure-as-code (for example, ARM templates or Bicep), you typically must use the object ID of the corresponding enterprise application (service principal) in your Microsoft Entra tenant. Using the application ID works with some tooling (for example, Azure CLI role assignment), but ARM/Bicep role assignments generally require the service principal object ID.
89
+
90
+
#### [Azure CLI](#tab/azure-cli/rbac)
91
+
92
+
```azurecli-interactive
93
+
az role assignment create --role "Key Vault Secrets Officer" --assignee "f3c21649-0979-4721-ac85-b0216b2cf413" --scope "/subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{key-vault-name}"
[Key Vault](/azure/key-vault/general/overview) is an Azure service that helps safeguard cryptographic keys and secrets used by cloud applications and services. For App Service certificates, we recommend that you use Key Vault. After you finish the certificate purchase process, you must complete a few more steps before you start using the certificate.
Copy file name to clipboardExpand all lines: articles/app-service/configure-ssl-certificate.md
+8-11Lines changed: 8 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -81,14 +81,13 @@ The free certificate comes with the following limitations:
81
81
### [Apex domain](#tab/apex)
82
82
83
83
- Must have an A record pointing to your web app's IP address.
84
-
- Must be on apps that are publicly accessible.
85
84
- Isn't supported with root domains that are integrated with Azure Traffic Manager.
86
85
- Must meet all the preceding criteria for successful certificate issuances and renewals.
87
86
88
87
### [Subdomain](#tab/subdomain)
89
88
90
89
- Must have CNAME mapped _directly_ to `<app-name>.azurewebsites.net` or [trafficmanager.net](configure-domain-traffic-manager.md#enable-custom-domain). Mapping to an intermediate CNAME value blocks certificate issuance and renewal.
91
-
-Must be on apps that are publicly accessible.
90
+
-If using Azure Traffic Manager, the site must be configured as an [Azure endpoint](/azure/traffic-manager/traffic-manager-endpoint-types#azure-endpoints).
92
91
- Must meet all the preceding criteria for successful certificate issuance and renewals.
93
92
94
93
---
@@ -144,9 +143,6 @@ By default, the App Service resource provider doesn't have access to your key va
144
143
145
144
The service principal app ID or assignee value is the application (client) ID for the App Service resource provider.
146
145
147
-
> [!IMPORTANT]
148
-
> The values in the table are application (client) IDs. If you grant the Key Vault Certificate User role by using infrastructure-as-code (for example, ARM templates or Bicep), you typically must use the object ID of the corresponding enterprise application (service principal) in your Microsoft Entra tenant. Using the application ID works with some tooling (for example, Azure CLI role assignment), but ARM/Bicep role assignments generally require the service principal object ID.
| Resource provider | Service principal app ID | Key Vault secret permissions | Key Vault certificate permissions |
@@ -155,12 +151,13 @@ The service principal app ID or assignee value is the application (client) ID fo
155
151
156
152
The service principal app ID or assignee value is the ID for the App Service resource provider. To learn how to authorize Key Vault permissions for the App Service resource provider by using an access policy, see [Assign a Key Vault access policy](/azure/key-vault/general/assign-access-policy?tabs=azure-portal).
157
153
158
-
Don't delete these access policy permissions from the key vault. If you do, App Service can't sync your web app with the latest Key Vault certificate version.
159
-
160
154
---
161
155
162
156
> [!NOTE]
163
-
> If Key Vault is configured to disable public access, select the **Allow trusted Microsoft services to bypass this firewall** checkbox to ensure that Microsoft services are allowed access. For more information, see [Key Vault firewall-enabled trusted services only](/azure/key-vault/general/network-security?WT.mc_id=Portal-Microsoft_Azure_KeyVault#key-vault-firewall-enabled-trusted-services-only).
157
+
> Don't delete these permissions from Key Vault. If you do, App Service can't sync your web app with the latest Key Vault certificate version.
158
+
159
+
> [!IMPORTANT]
160
+
> The values in the table are application (client) IDs. If you grant the Key Vault Certificate User role by using infrastructure-as-code (for example, ARM templates or Bicep), you typically must use the object ID of the corresponding enterprise application (service principal) in your Microsoft Entra tenant. Using the application ID works with some tooling (for example, Azure CLI role assignment), but ARM/Bicep role assignments generally require the service principal object ID.
164
161
165
162
#### [Azure CLI](#tab/azure-cli/rbac)
166
163
@@ -175,11 +172,11 @@ az role assignment create --role "Key Vault Certificate User" --assignee "abfa0a
> Don't delete these RBAC permissions from Key Vault. If you do, App Service can't sync your web app with the latest Key Vault certificate version.
180
-
181
175
---
182
176
177
+
> [!NOTE]
178
+
> If Key Vault is configured to disable public access, select the **Allow trusted Microsoft services to bypass this firewall** checkbox to ensure that Microsoft services are allowed access. For more information, see [Key Vault firewall-enabled trusted services only](/azure/key-vault/general/network-security?WT.mc_id=Portal-Microsoft_Azure_KeyVault#key-vault-firewall-enabled-trusted-services-only).
179
+
183
180
### Import a certificate from your vault to your app
184
181
185
182
1. In the [Azure portal](https://portal.azure.com), on the left pane, select **App Services** > *\<app-name>*.
![learn-build-service-prod[bot]](https://avatars.githubusercontent.com/in/237442?v=4&size=40){kind=avatar}
0 commit comments