Configure Custom Domain Name and SSL Certificate in Azure Web App

I’m reading Learning Windows Azure by Geoff Webber-Cross, following the examples and got to the chapter where I need to configure a custom domain name for the Azure Web App and upload SSL Certificate. I have not done it before, so it turned out to be an interesting experience.

The author did not mention what domain name registrar he used but he mentioned that he got SSL Certificate from GlobalSign. Since I already had an account with GoDaddy, I decided to buy a domain name and SSL Certificate from it. Another difference from author’s experience is that I’m doing the development in Windows 8 Pro virtual machine (Parallels) on MacBook Pro.


If you do not currently own a domain name – you might want to follow this post to buy it directly in Azure Portal, then this one to obtain and upload SSL Certificate but I had problems following instructions in both posts, hence this post.

Buy Domain Name

As I mentioned, I’m following the examples in the book and already have Web App deployed in Azure and it has a URL of . As you can see – you can request the page using either HTTP or HTTPS protocols. In the latter case, Azure provides a wildcard SSL Certificate for you. If you click on the green padlock in browser address bar, then select Connection tab and then click on Certificate Information you will see that the SSL Certificate belongs to Microsoft.


It is time to get your own. But before that you need to buy a domain name.

On GoDaddy web site navigate to Domains | Domain Search, select the name that you like (I’ve got, buy it, and then go to Domains | Manage My Domains, select the domain name and you will end up on Domain Details page. From there you need to go to DNS ZONE FILE page. This page displays your default resource records. We will be interested in A (Host) and CName (Alias) records.


In short, A (Host) record points a domain name to IP address and CName (Alias) record points one subdomain to another.

In the A-record section we see that the root domain (the @ symbol, which is synonymous to the domain I bought, i.e. is currently pointing to the IP address of the web page that is parked for us by GoDaddy.

If you open a Terminal or Command Prompt window and type


you will see

Non-authoritative answer:

In the CName record section we see three default records which map common subdomains. We do not care about email and ftp subdomains, but we do about www.  The last record says, that www subdomain is mapped to root domain (@), in other words it means that is mapped to Let’s check:


Non-authoritative answer:	canonical name =

So, maps to using CName record, and then maps to IP address using A record.

Configure A- and CName-records in Domain Name Registrar

Currently the custom domain name points to a parked web page provided by GoDaddy, but we need it to point to Azure Web App. To do that we need to know the IP address of that app.

NOTE: your app needs to be in a Standard App Service Plan!

In Azure Portal navigate to the Web App and select CONFIGURE. This page displays the SSL Certificates, domain names and SSL bindings.



Currently, the page displays only one domain name that you’ve got when I created the Web App –

Hit manage domains button to see the IP address assigned to the app.


From this page we see that we need to use the IP address of when configuring our A record.

This is the point where I started having problems. I followed the instruction to a tee, but in the end still could not make www subdomain to redirect to the root domain. I.e. when I would type instead of navigating to my Web App, the browser would give me 404 – Page Not Found error. I started experimenting with different settings and finally made it working. In the end I had to modify the original A- and CName-records and create a new CName-record:

First, I re-mapped the original A-record for root domain (@) (i.e., from GoDaddy’s parked web page to the IP address of the Web App (


Second, I created a new CName-record for Azure verification. I mapped awverify subdomain to


Third, I re-mapped the original CName-record for www subdomain. I changed “POINTS TO” mapping from root domain (@) to This resolved the problem with 404 error navigating to


So, in the end I ended up with these A- and CName- records:


After a few minutes I did the following checks:


Non-authoritative answer:



Non-authoritative answer:	canonical name =	canonical name =	canonical name =

which confirmed that DNS records have been propagated.

Configure Domain Names in Azure Portal

Now it’s time to go back to Azure Portal and configure the domain names. Go to CONFIGURE page and in domain names section hit manage domains button.

First, add (there will be a green check mark to the right of the name, but I missed it while taking a pic)


Then (yay! green check mark!)


In the end I had the following settings for domain names:


Now, if you navigate to either root domain


or www subdomain


you will hit the Azure Web App. Now it is time to deal with SSL Certificate.

Buy SSL Certificate

On GoDaddy web site navigate to Hosting & SSL | SSL Certificates. On this page you can buy SSL Certificate that secures one website, UCC/SAN SSL Certificate that secures up to 100 websites or Wildcard SSL Certificate that secures one website and all of its subdomains. We need the first one – that secures just one site. After you purchase it – it’s time to generate a Certificate Signing Request file.

Generate a Certificate Signing Request (.CSR) File

The above mentioned post lists a number of ways you can generate CSR file. I initially started with option using Certreq.exe in Windows 8 Pro virtual machine (Parallels) but GoDaddy would not accept the resulting CSR saying it has an error. I’m not sure if it had to do something with the fact that I was generating CSR in a VM.

Next, because I’m using MacBook Pro I decided to try the third option – generating CSR with OpenSSL bypassing the option with IIS. OS X has OpenSSL preinstalled. If you want to use it on Windows machine, you need to download and install it since Windows does not come with it.

In Terminal type the following command and provide answers. The Certificate Authority (CA) will validate that you are the owner of the domain name the SSL Certificate you are requesting for.

openssl req -new -nodes -newkey rsa:2048 -keyout 

On this step you do not actually need to provide a challenge password.



You will get two files – and

The .CSR file is a text file and looks like this:


You need to copy in the clipboard entire content of the file, including —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—–

Submit Certificate Signing Request

On GoDaddy web site navigate to Hosting & SSL | Manage SSL Certificates. In the SSL Certificates section you will see your new SSL Certificate, click Manage button and paste the content of the .CSR file in the form. Make sure that the Common Name shows the domain name you chosen, in my case it was . I was actually not been able to achieve this result with .CSR generated with Certreq.exe.

After you submit the form with Certificate Signing Request, GoDaddy will perform a number of validations but in the end you will receive an email informing you that the SSL Certificate was issued and you will see the following page:


Hit Download button and you will be taken to a new page.


Select IIS as Server type and hit Download Zip File. The ZIP file contains two files – .CRT and .P7B. Copy those two file to the same directory where your .KEY file is and run the following command to convert a CRT certificate to a PFX certificate:

openssl pkcs12 -export -in 78c510f1a71c4d98.crt -inkey 
-certfile gd-g2_iis_intermediates.p7b -out

This time you need to provide the password – you will need it again while uploading the .PFX certificate into Azure Web App.



Upload .PFX Certificate in Azure Portal

Go back to Azure Portal and in certificates section hit upload a certificate button.


After a few seconds you will see that the certificate has been successfully uploaded.


Assign SSL Bindings in Azure Portal

In the ssl bindings section first select root domain –, chose the uploaded SSL Certificate and keep SNI SSL type. Repeat for the www subdomain. Then hit SAVE button. In the end your settings will look like this


Now, if you navigate to either root domain


or www subdomain


using HTTPS protocol you will see a padlock in the browser’s address bar. The Certificate Information dialog now confirms that the SSL Certificate was issued for



Enforce HTTPS on your Azure Web App

The last thing we need to do is to add RequireHttps filter to controller actions where secured communication is needed.


Configure Custom Domain Name and SSL Certificate in Azure Web App

One thought on “Configure Custom Domain Name and SSL Certificate in Azure Web App

Comments are closed.