Configuring Let’s Encrypt certificates for Azure Web Apps was always a pain. One would expect a simple single-click solution. It took four years until Microsoft delivered this feature. It is named App Service Managed Certificates, and it will issue a certificate for your custom domains at no cost. This feature is available for customers with a Basic App Service Plan and above. Naked domains or wildcards are not supported.
Each certificate will be valid for six months, and about a month before the certificate’s expiration date, App Service will renew the certificate and update the certificate binding.
How to configure a managed certificate
In the Azure Portal, open your web app. Choose TLS/SSL settings from the left navigation.
Select the Private Key Certificates tab.
And finally, click the Create App Service Managed Certificate button.
Once the portal successfully creates your App Service Managed Certificate, you’ll see the certificate in the Private Key Certificates list. Select the Bindings tab and associate your certificate with your domain.
Certification authority
Free certificates are issued by DigiCert. Some top-level domains must explicitly allow this authority by creating a CAA domain record with the value: 0 issue digicert.com
.
The certificate will be listed in public logs. From time to time, you should search for certificates that have been issued for your domain, for example, by using the crt.sh tool. If you find a fraudulent certificate issued for your domain, report it to the respective CA and address it immediately.
The offering for App Service Managed Certificates is currently in preview. For additional reference, see the documentation.