HomeSoftware Architecture and Development

Installing a free SSL certificate on Azure

Installing a free SSL certificate on Azure
Like Tweet Pin it Share Share Email

1. Microsoft Azure Account

Of course, you need an Azure account to get started. You can sign up for free at You’ll receive $200 USD credit, which should probably last a few months depending on how many apps you are running. You’ll need to be familiar with Azure, and also be able to navigate your way around azure web apps.

2. Domain Name

Of course, this should be obvious, but you need a domain name, otherwise there’s no point in installing the SSL in the first place. You can buy a domain for cheap at You’ll also need to be able to access your administration area of the domain name, specifically the DNS settings.

3. Storage Account

The Azure Let’s Encrypt site extension leverages a feature of Azure Web Apps called WebJobs. WebJobs persist various bits of state over time, which requires a Storage account to be created.

4. Application Settings

With Storage account in hand, go to Application Settings in the Portal and add two App Settings to the web app in question called AzureWebJobsStorage and AzureWebJobsDashboard. Set the value of these two settings to your storage account connection string, which looks something like this: DefaultEndpointsProtocol=https;AccountName={storage account name};AccountKey={storage account key}.

5. Register a Service Principal

First, you need to login to PowerShell in your azure portal. 

Next, store a unique URI and secure password into a couple variables:

$uri = 'http://{some random name}'
$password = '{some strong password}'

With those set, create a new application:

$app = New-AzureRmADApplication -DisplayName {some display name} -HomePage $uri -IdentifierUris $uri -Password $password

Then a Service Principal for the new application:

New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId

Finally, assign the Contributor role to the Service Pincipal:

New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $app.ApplicationId

While you’re still in the PowerShell conosole, run $app.ApplicationId and save the GUID that is displayed. Later on it will be refered to as your ClientId and the value of $password will be refered to as your ClientSecret.

With the Service Principal properly registered, Azure Let’s Encrypt will be able to use the Azure API’s on your behalf to configure certificates.


With the prerequisites out of the way, we can install and configure the site extension.

1. Install Site Extension

To install the Azure Let’s Encrypt site extension, open your site’s SCM page at the url https://{your site name}

If authentication is required, log in with the same credentials you’d use to access the Azure Portal.

In the SCM site’s main navigation, click on Site extensions, then the Gallery tab and search for “Azure Let’s Encrypt”. Find it in the list and install it by clicking the + button.

Once the site extension has finished installing, you’ll be required to restart the site. After the restart, click the triangle Launch button that replaced the extension’s install button.

Note: If you get a “No route registered for ‘/letsencrypt/'” error, go to the portal, Stop then Start your site (not Restart), and try again.

2. Configure Azure Let’s Encrypt

The Azure Let’s Encrypt site extension will greet you with this, slightly intimidating screen:

Authentiation Settings

It’s a tad confusing, but don’t fill in the boxes you see near the bottom of the screen. Instead, go back to the Portal’s Application Settings screen and input App Settings for letsencrypt:Tenantletsencrypt:SubscriptionIdletsencrypt:ClientIdletsencrypt:ClientSecret and letsencrypt:ResourceGroupName

Some of the values can be found very easily in the portal:

  • letsencrypt:Tenant is actually in the ‘azure active directory’ page
  • letsencrypt:SubscriptionId is in the main page of your web app
  • letsencrypt:ResourceGroupName is just the name you used when you created your resource group

The other values come from the Service Principal that was registered in the prerequisites:

  • letsencrypt:ClientId is the GUID from $app.ApplicationId
  • letsencrypt:ClientSecret is the value from $password

Once the App Settings are saved, refresh the Azure Let’s Encrypt page and the form field boxes will be automatically filled in.

Click the Next button at the bottom of the screen. If everything is configured properly, you’ll be presented a page showing a list of the Hostnames, SSL bindings and Certificates form your site.

Click Next on this screen to finally get to the last step: requesting and installing a certificate.

3. Request and Install a Certificate

If you’ve made it this far, the good news is that this step is the easiest to complete.

Select the Hostname you’d like a certificate for from the drop down menu, enter your email address and click the Request and Install certificate button.

(Don’t check the Use Staging option, it’s mostly useful for testing Let’s Encrypt without running into their rate limits.)

In the background, the site extension uses ACMESharp to obtain and verify a certificate from Let’s Encrypt. Once it has the certificate, it leverages Azure API’s to automate configuring the certificate in IIS using the provided Service Principal credentials. Let’s Encrypt never recieves the Service Principal credentials.

4. Success!

Once complete, you can browse to the HTTPS version of the hostname you selected. As long as you don’t have any mixed content issues (HTTP resources on the HTTPS page), you’ll see the familiar “Secure Connection” padlock and notification.

Comments (1)

Leave a Reply

Your email address will not be published. Required fields are marked *