Installing or renewing a wildcard SSL certificate in Microsoft Azure Web Apps

Summary

Last night I renewed the wildcard SSL certificate for this website, but I encountered some issues when I tried to install the new certificate in Azure Web Apps. If you try to install a wildcard SSL certificate with a wildcard binding (i.e. you try to set a hostname of the format *.domain.com, rather than of the format subdomain.domain.com) you might well encounter the same issue. This article explains how to fix it.

Background

Since the old SSL certificate for this website is due to expire in a week or two, last night I decided it was time to renew it. Having obtained an updated certificate from StartSSL in the usual fashion, it should have been straightforward to install it in Azure Web Apps, but for some reason it wasn't.

I went to the new Azure portal (https://portal.azure.com), selected my web app and chose Settings → Custom domains and SSL → Upload Certificate and uploaded my new .pfx certificate file and provided the password.

Now I had both the expiring and new SSL certificates available, so I chose the newer one, as shown below. Observe that the newer certificate has a thumbprint which starts with 49A.

Having selected the new certificate, when I tried to save my configuration I got the following error:

This didn't make much sense to me, especially as I was able to bind the naked domain tomssl.com to the certificate. Why not *.tomssl.com?

Eventually I decided to try the old Azure portal (https://manage.windowsazure.com) and it worked.

Go to https://manage.windowsazure.comWeb Apps → Your App Name → Configure and scroll down to ssl bindings and select the correct certificate (which may not be that easy as some of the information may not be visible in the drop-down) as shown below.

After I'd done this and saved the new configuration I went back to the new portal and refreshed the Custom domains and SSL blade and the new certificate was bound correctly (note the thumbprint starts with 49A).

This was confirmed when I navigated to GHOST_URL/ and clicked on the green padlock and checked out the certificate. Try it yourself.

Tidying up

When you've finished updating your SSL bindings you can delete the old certificate from your Azure account. If you get an error when trying to do this, the chances are you have another binding using that certificate. This happened to me, but once I'd removed all bindings for the old certificate I was able to delete it.

Conclusion

Renewing an SSL certificate should perhaps be easier than it is. If you are struggling to get your wildcard SSL bindings to work in Azure Web Apps, try using the old management portal. In fact this is probably good general advice: if something doesn't seem to work correctly in the new Azure portal, try using the old portal before throwing up your hands in despair; it just might work.

Interestingly, when I tried to bind my new certificate to a specific subdomain it worked fine in the new portal, meaning it interpreted the wildcard certificate correctly. So this does appear to be a problem specific to a wildcard SSL binding - i.e. it only happens when you choose something of the format *.domain.com as your hostname.