Can I use App Service Certificates in Azure VM for ssl configuration

Question

I have purchased one Azure App Service Certificates in my Azure portal. I am not using any App services but the windows Virtual machine. Where I run the play framework app which needs the ssl certificate to produce https.

https://social.msdn.microsoft.com/Forums/en-US/c5c665b5-f857-4d9e-bba3-109ba20d2de1/export-app-service-certificate-to-running-vm-so-i-can-use-it-for-https-is-there-any-way-i-can-do?forum=windowsazurewebsitespreview

How can I use this App service certificate into VM instance. I have tried importing the keys for manual configuration but no single documentation of Azure I found where it can confirm.

Answer 1

You CAN actually export the Azure app certificate and use it in Apache on a VM anywhere.

Here is how I did it.

Step1 Downloaded and installed OpenSSL tool for windows into this folder

cd "c:\\Program Files\\OpenSSL-Win64\\bin"

Step2 In Azure portal click on your certificate and select Export Certificate. Click the Download as certificate button and this will give you a CERTIFICATES.pfx file. Save it into "c:\\Program Files\\OpenSSL-Win64\\bin"

Step3 Open a command prompt to convert the pfx to pem format with the following command:

>cd  "c:\Program Files\OpenSSL-Win64\bin"
>openssl pkcs12 -in CERTIFICATES.pfx -out CERTIFICATES.pem -nodes

Step4 Download Notepad++ for windows and break this CERTIFICATES.pem into 3 files.

Make 3 copies and name them PRIVATE.key CHAIN.pem and PUBLIC.pem

PRIVATE.key
CHAIN.pem (will contain both certificates. My Azure ones were from GoDaddy)
PUBLIC.pem

Edit them and remove the certificates that you don't need from each one and keep the one you need.

Your private key text should look like this:

-----BEGIN PRIVATE KEY-----
"private hashed key inside here"
-----END PRIVATE KEY-----

The CHAIN key text should look like this:

-----BEGIN PRIVATE KEY-----
"GoDaddy Root Certificate Authority key in here"
-----END PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
"GoDaddy Secure Certificate Authority key in here"
-----END PRIVATE KEY-----

Your public key text should look like this:

-----BEGIN CERTIFICATE-----
"public hashed key inside here"
-----END CERTIFICATE-----

Step5 Copy these 3 resultant files to your Apache installation drive and modify the Apache httpd config file containing the SSL entries to point to the three new files as follows:

SSLCertificateKeyFile "C:/certs/PRIVATE.key"
SSLCertificateChainFile "C:/certs/CHAIN.pem"
SSLCertificateFile "C:/certs/PUBLIC.pem"

Done.

Answer 2

According to the author of this blog post (see comments), you can't use the certificate outside App Service, as in there's no way to export it.

https://azure.microsoft.com/en-us/blog/internals-of-app-service-certificate/

John • 8 months ago
Is there any way to export the certificate as a PFX file?

Ashish • 8 months ago
Thanks John ! No, currently certificates are tied to a subscription so you can only use it with App Service Apps in the subscription you use for creating App Service Certificate.

Answer 3

You can create a local PFX copy of the app service certificate and use it anywhere you want. You create the local copy using a PowerShell script.

Details are in this MSDN blog post. https://blogs.msdn.microsoft.com/appserviceteam/2017/02/24/creating-a-local-pfx-copy-of-app-service-certificate/