Load Root Certificate in an ILB ASE

Here’s the steps to upload a certificate to the Root Certificate store on the instance of an ILB ASE. This feature only works for ASEs. Brief overview:

  • Go to an app that needs the cert to be available.
  • Prepare your cert as a cer file (see steps below for more detail with screenshots)
  • Go to SSL settings in the app.  Click Upload Certificate.  Select Public.  Select Local Machine.  Provide a name.  Browse and select your cer file.  Select upload.
  • Copy the thumbprint.
  • Go to Application Settings. Create an App Setting WEBSITE_LOAD_ROOT_CERTIFICATES with the thumbprint as the value.  If you have multiple you can put them in the same setting separated by commas and no white space.

The cert will be available by all the apps in the same app service plan as the app which configured that setting.  If you need it to be available for apps in a different App Service plan you will need to repeat the App Setting operation in an app in that App Service plan.

The last important step is you need to upload each certificate in the certificate chain. When you install a certificate via the browser workflow, you are installing the entire certificate chain. In a scenario where you are importing the certificates into the certificate store using this feature you must import each certificate.

Detailed Steps

  1. Download all the certificates in the certificate chain and export them to the .cer format, I usually use the browser. You should be able to select either Base-64 encoded or DER encoded.

  2. Each certificate in the chain will have its own unique thumbprint. Upload all three certificates in the Azure portal under one of the apps in the app service plan.

  3. Once each certificate is loaded via the portal, add the app setting WEBSITE_LOAD_ROOT_CERTIFICATES with the value equal to the thumbprints, each thumbprint separated by a common:
    For example : 41C56A2D5C5C89FD10325B0B5D92806F71935205,Thumbprint2,Thumbprint3