在 Azure 应用服务中添加 TLS/SSL 证书Add a TLS/SSL certificate in Azure App Service

Azure 应用服务提供高度可缩放、自修复的 Web 托管服务。Azure App Service provides a highly scalable, self-patching web hosting service. 本文介绍如何创建私有证书或公用证书,或将其上传或导入到应用服务中。This article shows you how to create, upload, or import a private certificate or a public certificate into App Service.

将证书添加到应用服务应用或函数应用后,即可使用它来保护自定义 DNS 名称在应用程序代码中使用它Once the certificate is added to your App Service app or function app, you can secure a custom DNS name with it or use it in your application code.

下表列出了用于在应用服务中添加证书的选项:The following table lists the options you have for adding certificates in App Service:

选项Option 说明Description
创建免费应用服务托管证书(预览版)Create a free App Service Managed Certificate (Preview) 如果只需保护 www 自定义域或应用服务中的任何非裸域,则可以轻松使用私有证书。A private certificate that's easy to use if you just need to secure your www custom domain or any non-naked domain in App Service.
导入来自 Key Vault 的证书Import a certificate from Key Vault 这在使用 Azure Key Vault 管理 PKCS12 证书时很有用。Useful if you use Azure Key Vault to manage your PKCS12 certificates. 请参阅私有证书要求See Private certificate requirements.
上传私有证书Upload a private certificate 如果你已有第三方提供商提供的私有证书,则可以上传它。If you already have a private certificate from a third-party provider, you can upload it. 请参阅私有证书要求See Private certificate requirements.
上传公用证书Upload a public certificate 公用证书不用于保护自定义域,但可以将其加载到代码中(如果需要它们来访问远程资源)。Public certificates are not used to secure custom domains, but you can load them into your code if you need them to access remote resources.

先决条件Prerequisites

按照本操作方法指南操作:To follow this how-to guide:

私有证书要求Private certificate requirements

备注

Azure Web 应用支持 AES256,并且所有 pfx 文件都应使用 TripleDES 进行加密。Azure Web Apps does not support AES256 and all pfx files should be encrypted with TripleDES.

  • 已导出为受密码保护的 PFX 文件Exported as a password-protected PFX file
  • 包含长度至少为 2048 位的私钥Contains private key at least 2048 bits long
  • 包含证书链中的所有中间证书Contains all intermediate certificates in the certificate chain

若要保护 TLS 绑定中的自定义域,证书还有其他要求:To secure a custom domain in a TLS binding, the certificate has additional requirements:

  • 包含用于服务器身份验证的扩展密钥用法 (OID = 1.3.6.1.5.5.7.3.1)Contains an Extended Key Usage for server authentication (OID = 1.3.6.1.5.5.7.3.1)
  • 已由受信任的证书颁发机构签名Signed by a trusted certificate authority

备注

椭圆曲线加密 (ECC) 证书可用于应用服务,但本文不予讨论。Elliptic Curve Cryptography (ECC) certificates can work with App Service but are not covered by this article. 请咨询证书颁发机构,了解有关创建 ECC 证书的确切步骤。Work with your certificate authority on the exact steps to create ECC certificates.

准备 Web 应用Prepare your web app

若要为应用服务应用创建自定义安全绑定或启用客户端证书,应用服务计划必须位于“基本” 、“标准” 、“高级” 或“独立” 层级。To create custom security bindings or enable client certificates for your App Service app, your App Service plan must be in the Basic, Standard, Premium, or Isolated tier. 在此步骤中,请确保 Web 应用位于受支持的定价层。In this step, you make sure that your web app is in the supported pricing tier.

登录 AzureSign in to Azure

打开 Azure 门户Open the Azure portal.

搜索并选择“应用服务”。 Search for and select App Services.

选择应用服务

在“应用服务”页上,选择 Web 应用的名称 。On the App Services page, select the name of your web app.

在门户中导航到 Azure 应用

你已登录到 Web 应用的管理页。You have landed on the management page of your web app.

检查定价层Check the pricing tier

在 Web 应用页的左侧导航窗格中,滚动到“设置” 部分,然后选择“增加(应用服务计划)” 。In the left-hand navigation of your web app page, scroll to the Settings section and select Scale up (App Service plan).

扩展菜单

检查以确保 Web 应用不在 F1D1 层中。Check to make sure that your web app is not in the F1 or D1 tier. 深蓝色的框突出显示了 Web 应用的当前层。Your web app's current tier is highlighted by a dark blue box.

检查定价层

F1D1 层不支持自定义 SSL。Custom SSL is not supported in the F1 or D1 tier. 如果需要增加,请按照下一部分中的步骤进行操作。If you need to scale up, follow the steps in the next section. 否则,请关闭“纵向扩展” 页,并跳过纵向扩展应用服务计划部分。Otherwise, close the Scale up page and skip the Scale up your App Service plan section.

纵向扩展应用服务计划Scale up your App Service plan

选择任何非免费层(B1B2B3,或“生产” 类别中的任何层)。Select any of the non-free tiers (B1, B2, B3, or any tier in the Production category). 有关其他选项,请单击“查看其他选项” 。For additional options, click See additional options.

单击“应用” 。Click Apply.

选择定价层

看到以下通知时,说明缩放操作已完成。When you see the following notification, the scale operation is complete.

扩展通知

导入应用服务证书Import an App Service Certificate

如果你已有一个有效的应用服务证书,则可以将证书导入到应用服务中If you already have a working App Service certificate, you can Import the certificate into App Service.

将证书导入到应用服务中Import certificate into App Service

Azure 门户的左侧菜单中,选择“应用程序服务” > “<app-name>” 。In the Azure portal, from the left menu, select App Services > <app-name>.

在应用的左侧导航窗格中,选择“TLS/SSL 设置” > “私钥证书(.pfx)” > “导入应用服务证书” 。From the left navigation of your app, select TLS/SSL settings > Private Key Certificates (.pfx) > Import App Service Certificate.

将应用服务证书导入到应用服务中

选择刚刚购买的证书,然后选择“确定”。Select the certificate that you just purchased and select OK.

操作完成后,会在“私钥证书”列表中看到该证书。When the operation completes, you see the certificate in the Private Key Certificates list.

导入应用服务证书已完成

重要

若要使用此证书保护自定义域,仍需要创建证书绑定。To secure a custom domain with this certificate, you still need to create a certificate binding. 按照创建绑定中的步骤操作。Follow the steps in Create binding.

导入来自 Key Vault 的证书Import a certificate from Key Vault

如果使用 Azure Key Vault 管理证书,则可以将 PKCS12 证书从 Key Vault 导入到应用服务中,前提是该证书满足要求If you use Azure Key Vault to manage your certificates, you can import a PKCS12 certificate from Key Vault into App Service as long as it satisfies the requirements.

Azure 门户的左侧菜单中,选择“应用程序服务” > “<app-name>” 。In the Azure portal, from the left menu, select App Services > <app-name>.

在应用的左侧导航窗格中,选择“TLS/SSL 设置” > “私钥证书(.pfx)” > “导入 Key Vault 证书” 。From the left navigation of your app, select TLS/SSL settings > Private Key Certificates (.pfx) > Import Key Vault Certificate.

将 Key Vault 证书导入到应用服务中

使用下表来帮助选择证书。Use the following table to help you select the certificate.

设置Setting 说明Description
订阅Subscription Key Vault 所属的订阅。The subscription that the Key Vault belongs to.
Key VaultKey Vault 包含要导入的证书的保管库。The vault with the certificate you want to import.
证书Certificate 从保管库中的 PKCS12 证书列表中进行选择。Select from the list of PKCS12 certificates in the vault. 保管库中的所有 PKCS12 证书都已通过其指纹列出,但在应用服务中并非支持所有证书。All PKCS12 certificates in the vault are listed with their thumbprints, but not all are supported in App Service.

操作完成后,会在“私钥证书”列表中看到该证书。When the operation completes, you see the certificate in the Private Key Certificates list. 如果导入失败并出现错误,则证书不满足应用服务的要求If the import fails with an error, the certificate doesn't meet the requirements for App Service.

导入 Key Vault 证书已完成

重要

若要使用此证书保护自定义域,仍需要创建证书绑定。To secure a custom domain with this certificate, you still need to create a certificate binding. 按照创建绑定中的步骤操作。Follow the steps in Create binding.

上传私有证书Upload a private certificate

从证书提供者处获得证书以后,请执行此部分的步骤,使证书可供应用服务使用。Once you obtain a certificate from your certificate provider, follow the steps in this section to make it ready for App Service.

合并中间证书Merge intermediate certificates

如果证书颁发机构在证书链中提供了多个证书,则需按顺序合并证书。If your certificate authority gives you multiple certificates in the certificate chain, you need to merge the certificates in order.

若要执行此操作,请在文本编辑器中打开收到的所有证书。To do this, open each certificate you received in a text editor.

创建名为 mergedcertificate.crt 的合并证书文件。Create a file for the merged certificate, called mergedcertificate.crt. 在文本编辑器中,将每个证书的内容复制到此文件。In a text editor, copy the content of each certificate into this file. 证书的顺序应遵循证书链中的顺序,以你的证书开头,以根证书结尾,The order of your certificates should follow the order in the certificate chain, beginning with your certificate and ending with the root certificate. 如以下示例所示:It looks like the following example:

-----BEGIN CERTIFICATE-----
<your entire Base64 encoded SSL certificate>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded intermediate certificate 1>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded intermediate certificate 2>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded root certificate>
-----END CERTIFICATE-----

将证书导出为 PFXExport certificate to PFX

使用在生成证书请求时所用的私钥导出合并的 TLS/SSL 证书。Export your merged TLS/SSL certificate with the private key that your certificate request was generated with.

如果使用 OpenSSL 生成证书请求,则已创建私钥文件。If you generated your certificate request using OpenSSL, then you have created a private key file. 若要将证书导出为 PFX,请运行以下命令。To export your certificate to PFX, run the following command. 将占位符 <private-key-file><merged-certificate-file> 分别替换为私钥和合并证书文件的路径。Replace the placeholders <private-key-file> and <merged-certificate-file> with the paths to your private key and your merged certificate file.

openssl pkcs12 -export -out myserver.pfx -inkey <private-key-file> -in <merged-certificate-file>  

出现提示时,定义导出密码。When prompted, define an export password. 稍后将 TLS/SSL 证书上传到应用服务时要使用此密码。You'll use this password when uploading your TLS/SSL certificate to App Service later.

如果使用 IIS 或 Certreq.exe 生成证书请求,请将证书安装到本地计算机,然后将证书导出为 PFXIf you used IIS or Certreq.exe to generate your certificate request, install the certificate to your local machine, and then export the certificate to PFX.

将证书上传到应用服务Upload certificate to App Service

现在可以将证书上传到应用服务了。You're now ready upload the certificate to App Service.

Azure 门户的左侧菜单中,选择“应用程序服务” > “<app-name>” 。In the Azure portal, from the left menu, select App Services > <app-name>.

在应用的左侧导航窗格中,选择“TLS/SSL 设置” > “私钥证书(.pfx)” > “上载证书” 。From the left navigation of your app, select TLS/SSL settings > Private Key Certificates (.pfx) > Upload Certificate.

将私有证书上传到应用服务中

在“PFX 证书文件”中选择 PFX 文件。In PFX Certificate File, select your PFX file. 在“证书密码”中,键入导出 PFX 文件时创建的密码。In Certificate password, type the password that you created when you exported the PFX file. 完成后,单击“上传”。When finished, click Upload.

操作完成后,会在“私钥证书”列表中看到该证书。When the operation completes, you see the certificate in the Private Key Certificates list.

上传证书文件已完成

重要

若要使用此证书保护自定义域,仍需要创建证书绑定。To secure a custom domain with this certificate, you still need to create a certificate binding. 按照创建绑定中的步骤操作。Follow the steps in Create binding.

上传公用证书Upload a public certificate

支持使用 .cer 格式的公用证书。Public certificates are supported in the .cer format.

Azure 门户的左侧菜单中,选择“应用程序服务” > “<app-name>” 。In the Azure portal, from the left menu, select App Services > <app-name>.

在应用的左侧导航窗格中,单击“TLS/SSL 设置” > “公用证书(.cer)” > “上传公钥证书” 。From the left navigation of your app, click TLS/SSL settings > Public Certificates (.cer) > Upload Public Key Certificate.

在“名称”中,键入证书的名称。In Name, type a name for the certificate. 在“CER 证书文件”中,选择 CER 文件。In CER Certificate file, select your CER file.

单击“上载” 。 Click Upload.

将公用证书上传到应用服务中

上传证书以后,请复制证书指纹并参阅使证书可供访问Once the certificate is uploaded, copy the certificate thumbprint and see Make the certificate accessible.

使用脚本自动执行Automate with scripts

Azure CLIAzure CLI

#!/bin/bash

fqdn=<replace-with-www.{yourdomain}>
pfxPath=<replace-with-path-to-your-.PFX-file>
pfxPassword=<replace-with-your=.PFX-password>
resourceGroup=myResourceGroup
webappname=mywebapp$RANDOM

# Create a resource group.
az group create --location chinaeast2 --name $resourceGroup

# Create an App Service plan in Basic tier (minimum required by custom domains).
az appservice plan create --name $webappname --resource-group $resourceGroup --sku B1

# Create a web app.
az webapp create --name $webappname --resource-group $resourceGroup \
--plan $webappname

echo "Configure a CNAME record that maps $fqdn to $webappname.chinacloudsites.cn"
read -p "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Map your prepared custom domain name to the web app.
az webapp config hostname add --webapp-name $webappname --resource-group $resourceGroup \
--hostname $fqdn

# Upload the SSL certificate and get the thumbprint.
thumbprint=$(az webapp config ssl upload --certificate-file $pfxPath \
--certificate-password $pfxPassword --name $webappname --resource-group $resourceGroup \
--query thumbprint --output tsv)

# Binds the uploaded SSL certificate to the web app.
az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI \
--name $webappname --resource-group $resourceGroup

echo "You can now browse to https://$fqdn"

PowerShellPowerShell

$fqdn="<Replace with your custom domain name>"
$pfxPath="<Replace with path to your .PFX file>"
$pfxPassword="<Replace with your .PFX password>"
$webappname="mywebapp$(Get-Random)"
$location="China East 2"

# Create a resource group.
New-AzResourceGroup -Name $webappname -Location $location

# Create an App Service plan in Free tier.
New-AzAppServicePlan -Name $webappname -Location $location `
-ResourceGroupName $webappname -Tier Free

# Create a web app.
New-AzWebApp -Name $webappname -Location $location -AppServicePlan $webappname `
-ResourceGroupName $webappname

Write-Host "Configure a CNAME record that maps $fqdn to $webappname.chinacloudsites.cn"
Read-Host "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Upgrade App Service plan to Basic tier (minimum required by custom SSL certificates)
Set-AzAppServicePlan -Name $webappname -ResourceGroupName $webappname `
-Tier Basic

# Add a custom domain name to the web app. 
Set-AzWebApp -Name $webappname -ResourceGroupName $webappname `
-HostNames @($fqdn,"$webappname.chinacloudsites.cn")

# Upload and bind the SSL certificate to the web app.
New-AzWebAppSSLBinding -WebAppName $webappname -ResourceGroupName $webappname -Name $fqdn `
-CertificateFilePath $pfxPath -CertificatePassword $pfxPassword -SslState SniEnabled

更多资源More resources