How to Install an SSL Certificate on Azure

Last updated on June 11th, 2026 by Denis Graur

This tutorial explains how to install an SSL certificate on Microsoft Azure for a web app (Azure App Service).

How to generate a CSR code for Microsoft Azure

Unlike most server platforms, Azure doesn’t let you generate a CSR from its interface. Because App Service is a managed cloud platform, you can only upload a finished certificate (as a single .pfx file) rather than create the key pair on the server itself.

So you generate the CSR (and the private key) elsewhere, then package everything into a .pfx. The simplest route on Windows is IIS (Internet Information Services) Manager: create the CSR there, complete the request with the issued certificate, then export it (private key included) to .pfx. Follow these two guides in order:

Generate the CSR and complete the request with our how to install an SSL certificate in IIS guide. Pick the steps that match the IIS version on your machine.
Once the certificate is installed in IIS, export it to a PFX file (with the private key). That .pfx is what you’ll upload to Azure.

Prefer the command line? You can also build the CSR and the .pfx with OpenSSL. See Step 2 below for the exact export command Azure requires.

How to install an SSL certificate on Azure for a web app

Before you upload a third-party SSL certificate to your Azure web app, make sure it meets Azure App Service’s requirements:

The certificate is exported as a password-protected .pfx file, encrypted using triple DES.
The private key is at least 2048 bits long.
All intermediate and root certificates are included in the certificate chain.
For a TLS/SSL binding, the certificate includes the Extended Key Usage: Server Authentication attribute (OID 1.3.6.1.5.5.7.3.1).

Plan requirement: not every App Service plan supports custom certificates. You need to be on the Basic, Standard, Premium, or Isolated tier. The Free and Shared tiers can’t hold an uploaded certificate or a TLS binding.

Step 1: Prepare your certificate for upload

After the Certificate Authority issues your certificate, download the ZIP archive and extract it on your computer. If the server, intermediate, and root certificates arrive as separate files, merge them into one file first:

Open each certificate in a plain-text editor.
Create a new file named mergedcertificate.crt.
Paste the contents of every certificate into it, in this exact order: server certificate → intermediate certificate(s) → root certificate.

The merged file should look like this, with each block bounded by five hyphens on either side and no blank line between blocks:

-----BEGIN CERTIFICATE-----
(your server certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(root certificate)
-----END CERTIFICATE-----

Step 2: Export the certificate to PFX

Azure accepts only a single password-protected .pfx file that bundles the certificate, its chain, and the private key. If you already have the certificate installed in IIS, follow our guide on how to export the certificate to a PFX file in IIS.

To build the .pfx from the command line instead, use OpenSSL:

openssl pkcs12 -export -out myserver.pfx \
  -inkey <private-key-file> \
  -in <merged-certificate-file> \
  -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg SHA1

Replace <private-key-file> with your private key and <merged-certificate-file> with the merged certificate from Step 1; OpenSSL will prompt you to set the export password. The -keypbe PBE-SHA1-3DES, -certpbe PBE-SHA1-3DES, and -macalg SHA1 flags force the triple-DES encryption Azure expects. They’re required on OpenSSL 3.x, which no longer uses the legacy 3DES algorithms by default. Without them, Azure rejects the upload.

Step 3: Upload the certificate to App Service

Now add the .pfx to your web app in the Azure portal:

Sign in to the Azure portal and open your App Service (web app).
In the left menu, go to Certificates → Bring your own certificates (.pfx) → Add certificate.
Choose Upload certificate as the source, select your .pfx file, and enter the PFX password.
Give the certificate a friendly name, then select Validate and, once validation passes, Add.

The certificate now appears under Bring your own certificates (.pfx), but it isn’t serving traffic yet. You still have to bind it to a domain.

Step 4: Create a TLS/SSL binding

The binding is what actually enables HTTPS for your custom domain. Without it, the uploaded certificate does nothing.

In the same App Service, open Custom domains and select Add binding (on the custom domain you want to secure).
Choose the domain and the certificate you just uploaded.
Select the TLS/SSL type (SNI SSL for most apps, or IP-based SSL if you need a dedicated IP on the Standard tier or higher), then select Add binding.

That’s it. Your Azure web app now serves HTTPS on the bound domain. To confirm the certificate is live and the chain is complete, run your site through our SSL Cheker or simply open the site and check the padlock.

Where to buy an SSL certificate for Microsoft Azure

The best place to buy an SSL certificate for Azure is SSL Dragon. We offer competitive prices, regular discounts, and great deals across our entire range of SSL products. We’ve carefully selected the best SSL brands on the market to give your web app strong, browser-trusted encryption. All our SSL certificates are compatible with Microsoft Azure App Service.

Get an SSL certificate now

Frequently Asked Questions

Can I generate a CSR directly in Azure?

No. Azure App Service doesn’t generate CSRs or private keys. You create the CSR elsewhere (most easily in IIS Manager on Windows, or with OpenSSL), finish the certificate there, then export it as a single password-protected .pfx file and upload that to Azure.

Why does Azure require a .pfx file instead of separate .crt and .key files?

App Service is a managed platform that imports the certificate, its full chain, and the private key as one object. The .pfx (PKCS#12) format packages all of that into a single, password-protected file, so it’s the only format the upload accepts. Make sure the private key is included when you export.

I uploaded the certificate but the site still shows “not secure”. Why?

Uploading a certificate only stores it; it doesn’t activate HTTPS. You also have to create a TLS/SSL binding under Custom domains → Add binding, linking the certificate to your custom domain and choosing SNI SSL or IP-based SSL. Until the binding exists, the certificate isn’t served.

Why is Azure rejecting my .pfx exported with OpenSSL 3?

OpenSSL 3.x dropped the legacy triple-DES algorithms from its defaults, but Azure still expects a 3DES-encrypted .pfx. Re-export with the explicit flags -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg SHA1 on the openssl pkcs12 -export command (see Step 2), and the upload will succeed.

Which App Service plan do I need to install an SSL certificate?

You need the Basic, Standard, Premium, or Isolated tier. The Free and Shared tiers don’t support uploading a certificate or adding a TLS/SSL binding, so upgrade the plan first if your app is on one of those.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

Order Now

Written by Denis Graur

I've been building and managing websites for over 20 years, with a heavy focus on the technical side of the cybersecurity, VPN, and SaaS industries. I know how sites are built from the ground up, which means I know how to secure them. Here at SSL Dragon, I write about web architecture, encryption, and keeping your infrastructure safe.