教程:将 SSL 证书上传并绑定到 Azure 应用服务Tutorial: Upload and bind SSL certificates to Azure App Service

Azure 应用服务提供高度可缩放、自修补的 Web 托管服务。Azure App Service provides a highly scalable, self-patching web hosting service. 本教程介绍了如何使用从受信任的证书颁发机构处购买的证书来确保应用服务中自定义域的安全。This tutorial shows you how to secure a custom domain in App Service with a certificate that you purchased from a trusted certificate authority. 此外还介绍了如何上传应用所需的任何专用证书和公共证书。It also shows you how to upload any private and public certificates your app needs. 完成本教程后,便可以访问自定义 DNS 域的 HTTPS 终结点上的应用。When you're finished, you'll be able to access your app at the HTTPS endpoint of your custom DNS domain.

包含自定义 SSL 证书的 Web 应用

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 升级应用的定价层Upgrade your app's pricing tier
  • 使用证书确保自定义域的安全Secure a custom domain with a certificate
  • 上传私有证书Upload a private certificate
  • 上传公用证书Upload a public certificate
  • 续订证书Renew certificates
  • 实施 HTTPSEnforce HTTPS
  • 强制实施 TLS 1.1/1.2Enforce TLS 1.1/1.2
  • 使用脚本自动完成 TLS 管理Automate TLS management with scripts

先决条件Prerequisites

若要完成本教程,需执行以下操作:To complete this tutorial:

准备私有证书Prepare a private certificate

若要确保域的安全,证书必须满足下列所有要求:To secure a domain, the certificate must meet all the following requirements:

  • 已针对服务器身份验证进行了配置Configured for Server Authentication
  • 已由受信任的证书颁发机构签名Signed by a trusted certificate authority
  • 已导出为受密码保护的 PFX 文件Exported as a password-protected PFX file
  • 包含长度至少为 2048 位的私钥Contains private key at least 2048 bits long
  • 包含证书链中的所有中间证书Contains all intermediate certificates in the certificate chain

Note

椭圆曲线加密 (ECC) 证书可用于应用服务,但本文不予讨论。Elliptic Curve Cryptography (ECC) certificates can work with App Service but are not covered by this article. 请咨询证书颁发机构,了解有关创建 ECC 证书的确切步骤。Work with your certificate authority on the exact steps to create ECC certificates.

从证书提供者处获得证书以后,请执行此部分的步骤,使证书可供应用服务使用。Once you obtain a certificate from your certificate provider, follow the steps in this section to make it ready for App Service.

合并中间证书Merge intermediate certificates

如果证书颁发机构在证书链中提供了多个证书,则需按顺序合并证书。If your certificate authority gives you multiple certificates in the certificate chain, you need to merge the certificates in order.

若要执行此操作,请在文本编辑器中打开收到的每个证书。To do this, open each certificate you received in a text editor.

创建名为 mergedcertificate.crt 的合并证书文件。Create a file for the merged certificate, called mergedcertificate.crt. 在文本编辑器中,将每个证书的内容复制到此文件。In a text editor, copy the content of each certificate into this file. 证书的顺序应遵循证书链中的顺序,以你的证书开头,以根证书结尾,The order of your certificates should follow the order in the certificate chain, beginning with your certificate and ending with the root certificate. 如以下示例所示:It looks like the following example:

-----BEGIN CERTIFICATE-----
<your entire Base64 encoded SSL certificate>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded intermediate certificate 1>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded intermediate certificate 2>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded root certificate>
-----END CERTIFICATE-----

将证书导出为 PFXExport certificate to PFX

导出合并的 SSL 证书(其中包含生成证书请求时所用的私钥)。Export your merged SSL certificate with the private key that your certificate request was generated with.

如果使用 OpenSSL 生成证书请求,则已创建私钥文件。If you generated your certificate request using OpenSSL, then you have created a private key file. 若要将证书导出为 PFX,请运行以下命令。To export your certificate to PFX, run the following command. 将占位符 <private-key-file><merged-certificate-file> 分别替换为私钥和合并证书文件的路径。Replace the placeholders <private-key-file> and <merged-certificate-file> with the paths to your private key and your merged certificate file.

openssl pkcs12 -export -out myserver.pfx -inkey <private-key-file> -in <merged-certificate-file>  

出现提示时,定义导出密码。When prompted, define an export password. 稍后将 SSL 证书上传到应用服务时需使用此密码。You'll use this password when uploading your SSL certificate to App Service later.

如果使用了 IIS 或 Certreq.exe 来生成证书请求,请将证书安装到你的本地计算机,然后将证书导出为 PFXIf you used IIS or Certreq.exe to generate your certificate request, install the certificate to your local machine, and then export the certificate to PFX.

现在可以将证书上传到应用服务了。You're now ready upload the certificate to App Service.

准备 Web 应用Prepare your web app

若要将自定义 SSL 证书(第三方证书或应用服务证书)绑定到 Web 应用,应用服务计划必须位于“基本”、“标准”或“高级”层。To bind a custom SSL certificate (a third-party certificate or App Service certificate) to your web app, your App Service plan must be in the Basic, Standard, or Premium tier. 在此步骤中,请确保 Web 应用位于受支持的定价层。In this step, you make sure that your web app is in the supported pricing tier.

登录 AzureLog in to Azure

打开 Azure 门户Open the Azure portal.

在左侧菜单中单击“应用服务”,然后单击你的 Web 应用的名称。From the left menu, click App Services, and then click the name of your web app.

选择 Web 应用

你已登录到了 Web 应用的管理页面。You have landed in the management page of your web app.

检查定价层Check the pricing tier

在 Web 应用页面的左侧导航窗格中,向下滚动到“设置”部分,然后选择“扩大(应用服务计划)”。In the left-hand navigation of your web app page, scroll to the Settings section and select Scale up (App Service plan).

扩展菜单

检查以确保 Web 应用不在 F1D1 层中。Check to make sure that your web app is not in the F1 or D1 tier. 深蓝色的框突出显示了 Web 应用的当前层。Your web app's current tier is highlighted by a dark blue box.

检查定价层

F1D1 层不支持自定义 SSL。Custom SSL is not supported in the F1 or D1 tier. 如果需要进行扩展,请遵循下一部分中的步骤。If you need to scale up, follow the steps in the next section. 否则,请关闭“纵向扩展”页,并跳过纵向扩展应用服务计划部分。Otherwise, close the Scale up page and skip the Scale up your App Service plan section.

扩展应用服务计划Scale up your App Service plan

选择任何非免费层(B1B2B3,或“生产”类别中的任何层)。Select any of the non-free tiers (B1, B2, B3, or any tier in the Production category). 有关其他选项,请单击“查看其他选项”。For additional options, click See additional options.

单击“应用” 。Click Apply.

选择定价层

如果看到以下通知,则表示缩放操作已完成。When you see the following notification, the scale operation is complete.

扩展通知

确保自定义域的安全Secure a custom domain

若要使用第三方证书确保自定义域的安全,请上传准备好的私有证书,然后将其绑定到自定义域,不过应用服务为你简化了此过程。To secure a custom domain with a third-party certificate, you upload the prepared private certificate and then bind it to the custom domain, but App Service simplifies the process for you. 执行以下步骤:Do the following steps:

单击应用左侧导航栏中的“自定义域”,然后针对需要保护的域单击“添加绑定”。 Click Custom domains in the left navigation of your app, then click Add binding for the domain you want to secure. 如果看不到与某个域对应的“添加绑定”选项,则表明该域已受到保护,其 SSL 状态应该为“安全”。 If you don't see Add binding for a domain, then it's already secure and should have a Secure SSL state.

为域添加绑定

单击“上传证书”。 Click Upload Certificate.

在“PFX 证书文件”中,选择你的 PFX 文件。 In PFX Certificate File, select your PFX file. 在“证书密码”中,键入导出 PFX 文件时创建的密码。 In Certificate password, type the password that you created when you exported the PFX file.

单击“上传”。 Click Upload.

为域上传证书

等待 Azure 上传证书并启动“SSL 绑定”对话框。Wait for Azure to upload your certificate and launch the SSL bindings dialog.

在“SSL 绑定”对话框中选择已上传的证书和 SSL 类型,然后单击“添加绑定” 。In the SSL bindings dialog, select the certificate you uploaded and the SSL type, and then click Add Binding.

Note

支持以下 SSL 类型:The following SSL types are supported:

  • 基于 SNI 的 SSL - 可添加多个基于 SNI 的 SSL 绑定。SNI-based SSL - Multiple SNI-based SSL bindings may be added. 选择此选项可以使用多个 SSL 证书来保护同一 IP 地址上的多个域。This option allows multiple SSL certificates to secure multiple domains on the same IP address. 大多数新式浏览器(包括 Internet Explorer、Chrome、Firefox 和 Opera)都支持 SNI(可以在服务器名称指示中了解更全面的浏览器支持信息)。Most modern browsers (including Internet Explorer, Chrome, Firefox, and Opera) support SNI (find more comprehensive browser support information at Server Name Indication).
  • 基于 IP 的 SSL - 只能添加一个基于 IP 的 SSL 绑定。IP-based SSL - Only one IP-based SSL binding may be added. 选择此选项只能使用一个 SSL 证书来保护专用公共 IP 地址。This option allows only one SSL certificate to secure a dedicated public IP address. 若要保护多个域,必须使用同一个 SSL 证书来保护所有这些域。To secure multiple domains, you must secure them all using the same SSL certificate. 这是 SSL 绑定的传统选项。This is the traditional option for SSL binding.

将 SSL 绑定到域

域的 SSL 状态现在应更改为“安全”。 The domain's SSL state should now be changed to Secure.

受保护的域

Note

“自定义域”中的状态为“安全”意味着已使用证书保护该域,但应用服务并未检查该证书是自签名证书还是已过期证书,这可能也会导致浏览器异常,例如显示错误或警告。 A Secure state in the Custom domains means that it is secured with a certificate, but App Service doesn't check if the certificate is self-signed or expired, for example, which can also cause browsers to show an error or warning.

重新映射 IP SSL 的 A 记录Remap A record for IP SSL

如果不在应用中使用基于 IP 的 SSL,请跳到针对自定义域测试 HTTPSIf you don't use IP-based SSL in your app, skip to Test HTTPS for your custom domain.

默认情况下,应用使用共享的公共 IP 地址。By default, your app uses a shared public IP address. 将证书与基于 IP 的 SSL 绑定时,应用服务会为应用创建新的专用 IP 地址。When you bind a certificate with IP-based SSL, App Service creates a new, dedicated IP address for your app.

如果已将 A 记录映射到应用,请使用这个新的专用 IP 地址更新域注册表。If you have mapped an A record to your app, update your domain registry with this new, dedicated IP address.

将使用新的专用 IP 地址更新应用的“自定义域”页。 Your app's Custom domain page is updated with the new, dedicated IP address. 复制此 IP 地址,然后将 A 记录重新映射到此新 IP 地址。Copy this IP address, then remap the A record to this new IP address.

测试 HTTPSTest HTTPS

接下来只需确保 HTTPS 适用于自定义域。All that's left to do now is to make sure that HTTPS works for your custom domain. 在各种浏览器中,浏览到 https://<your.custom.domain> 以查看其是否适合应用。In various browsers, browse to https://<your.custom.domain> to see that it serves up your app.

在门户中导航到 Azure 应用

Note

如果应用显示证书验证错误,可能是因为使用自签名证书。If your app gives you certificate validation errors, you're probably using a self-signed certificate.

如果不是这样,可能是在将证书导出为 PFX 文件时遗漏了中间证书。If that's not the case, you may have left out intermediate certificates when you export your certificate to the PFX file.

续订证书Renew certificates

在删除某个绑定时,即使该绑定是基于 IP 的,入站 IP 地址也可能会更改。Your inbound IP address can change when you delete a binding, even if that binding is IP-based. 在续订已进行基于 IP 的绑定的证书时,了解这一点尤为重要。This is especially important when you renew a certificate that's already in an IP-based binding. 若要避免应用的 IP 地址更改,请按顺序执行以下步骤:To avoid a change in your app's IP address, follow these steps in order:

  1. 上传新证书。Upload the new certificate.
  2. 将新证书绑定到所需的自定义域,不要删除旧证书。Bind the new certificate to the custom domain you want without deleting the old one. 此操作替换而不是删除旧的绑定。This action replaces the binding instead of removing the old one.
  3. 删除旧证书。Delete the old certificate.

实施 HTTPSEnforce HTTPS

默认情况下,任何人都仍可使用 HTTP 访问应用。By default, anyone can still access your app using HTTP. 可以将所有 HTTP 请求都重定向到 HTTPS 端口。You can redirect all HTTP requests to the HTTPS port.

在应用页的左侧导航窗格中,选择“SSL 设置” 。In your app page, in the left navigation, select SSL settings. 然后,在“仅 HTTPS” 中,选择“启用” 。Then, in HTTPS Only, select On.

实施 HTTPS

该操作完成后,将导航到指向应用的任一 HTTP URL。When the operation is complete, navigate to any of the HTTP URLs that point to your app. 例如:For example:

  • http://<app_name>.chinacloudsites.cn
  • http://contoso.com
  • http://www.contoso.com

强制实施 TLS 版本Enforce TLS versions

应用默认情况下允许 TLS 1.2,这是行业标准(例如 PCI DSS)建议的 TLS 级别。Your app allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. 若要强制实施不同的 TLS 版本,请按照下列步骤操作:To enforce different TLS versions, follow these steps:

在应用页的左侧导航窗格中,选择“SSL 设置” 。In your app page, in the left navigation, select SSL settings. 然后,在“TLS 版本” 中,选择所需的最低 TLS 版本。Then, in TLS version, select the minimum TLS version you want. 此设置仅控制入站调用。This setting controls the inbound calls only.

强制实施 TLS 1.1 或 1.2

该操作完成后,你的应用将拒绝使用更低 TLS 版本的所有连接。When the operation is complete, your app rejects all connections with lower TLS versions.

使用脚本自动执行Automate with scripts

可以在 Azure CLIAzure PowerShell 中使用脚本自动完成应用的 SSL 绑定。You can automate SSL bindings for your app with scripts, using the Azure CLI or Azure PowerShell.

Azure CLIAzure CLI

以下命令上传已导出的 PFX 文件并获取指纹。The following command uploads an exported PFX file and gets the thumbprint.

thumbprint=$(az webapp config ssl upload \
    --name <app-name> \
    --resource-group <resource-group-name> \
    --certificate-file <path-to-PFX-file> \
    --certificate-password <PFX-password> \
    --query thumbprint \
    --output tsv)

以下命令使用前一命令获取的指纹添加基于 SNI 的 SSL 绑定。The following command adds an SNI-based SSL binding, using the thumbprint from the previous command.

az webapp config ssl bind \
    --name <app-name> \
    --resource-group <resource-group-name>
    --certificate-thumbprint $thumbprint \
    --ssl-type SNI \

以下命令强制实施最低的 TLS 版本 (1.2)。The following command enforces minimum TLS version of 1.2.

az webapp config set \
    --name <app-name> \
    --resource-group <resource-group-name>
    --min-tls-version 1.2

Azure PowerShellAzure PowerShell

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

以下命令上传已导出的 PFX 文件并添加基于 SNI 的 SSL 绑定。The following command uploads an exported PFX file and adds an SNI-based SSL binding.

New-AzWebAppSSLBinding `
    -WebAppName <app_name> `
    -ResourceGroupName <resource_group_name> `
    -Name <dns_name> `
    -CertificateFilePath <path_to_PFX_file> `
    -CertificatePassword <PFX_password> `
    -SslState SniEnabled

在代码中使用证书Use certificates in your code

如果应用需要连接到远程资源,而远程资源需要证书身份验证,则可将公用或私有证书上传到应用。If your app needs to connect to remote resources, and the remote resource requires certificate authentication, you can upload public or private certificates to your app. 不需将这些证书绑定到应用中的任何自定义域。You don't need to bind these certificates to any custom domain in your app. 有关详细信息,请参阅在 Azure 应用服务的应用程序代码中使用 SSL 证书For more information, see Use an SSL certificate in your application code in Azure App Service.

后续步骤Next steps

在本教程中,你已学习了如何执行以下操作:In this tutorial, you learned how to:

  • 升级应用的定价层Upgrade your app's pricing tier
  • 将自定义证书绑定到应用服务Bind your custom certificate to App Service
  • 续订证书Renew certificates
  • 实施 HTTPSEnforce HTTPS
  • 强制实施 TLS 1.1/1.2Enforce TLS 1.1/1.2
  • 使用脚本自动完成 TLS 管理Automate TLS management with scripts

有关详细信息,请参阅在 Azure 应用服务的应用程序代码中使用 SSL 证书For more information, see Use an SSL certificate in your application code in Azure App Service.