"We all know that SSL Certificates come with an expiry of 1 year or less. This is because certificates can also be breached or cloned, and it’s a best practice to change the certificate every month. However, if you are purchasing from well-known providers, the minimum duration will be 1 year, and it can be expensive.
While trying to configure the App Service Certificate, I discovered an impressive solution to this recurring cost - the App Service Managed Certificate. This certificate is managed by the app service and is free, but it has some limitations. It doesn’t allow wildcard certificates, and we can’t export it outside of the app service. This is suitable when we only have an app service, but in our architecture, we also have an application gateway that requires a TLS/SSL certificate.
Upon further research, I found a solution for this. The application gateway can be created with a private certificate, but browsers will not trust this certificate from an unknown CA provider. To avoid this, one has to install this certificate to the trusted root on local machines to allow browsers to trust this certificate.
Later, I found that there are better, free, automated, and open Certificate Authority (CA) providers, and the best one I found was LetsEncrypt.
- Provided by the Internet Security Research Group (ISRG),
- It can be easily integrated with our Azure Application Gateway.
- Certificate renewal can be automated,
giving us full control over certificate expiry. By this, we can set SSL expiry to 90 days and renew every 60 days or even during every product release, so we never fall into the trap of expiry. Also, the younger the SSL/TLS certificate, the more immune it is against security attacks.
The App Service Managed Certificate is now in General Availability for both apex domains and sub-domains. This feature allows customers to secure their custom domains on Linux and on Windows with an SSL certificate.
Top comments (0)