Blog of Denis VOITURON

for a better .NET world

SSL certification of an Azure website, via Let's Encrypt

Posted on 2018-01-29

More and more sites are accessible via https (SSL) and recent browsers recommend accessing websites using this protocol.

For some time, the Certificate Authorities (CA) have been increasingly reducing their prices and some even offer to certify for free. This is the case of Let’s Encrypt which validates your certificate for a maximum of 90 days. Other authorities such as Gandi offer you annual certificates at a low price (14.52 € per year).

For Let’s Encrypt, the detailed procedure is at https://zerossl.com/usage.html.


To create and validate certificates, it is necessary to use two tools:


The steps to create a SSL certificate and validate it with the Let’s Encrypt Certificate Authority are:

1. Create a private key to encrypt your data.

openssl genrsa -out mydomain.key 2048

2. Create a Let’s Encrypt account identification key, to simplify later updating of the certificate.

openssl genrsa -out account.key 4096

3. Create a Certificate Request for the website.

Send this request to the Certificate Authority (CA) which will verify that you are the owner of the website. Let’s Encrypt checks the content of a specific file (without extension) in the sub-site http://mydomain.com/.well-known/acme-challenge.

By default, Azure does not recognize files without extension; it is therefore necessary to modify the Web.Config and add the staticContent/mimeMap tag.


The following command uses the account key (account. key), private key (mydomain. key) and certificate request (CSR) and generates the validated certificate (CRT). With the –live parameter, this command saves a file in the D:\home... folder that is checked via the URL of the domain.

le.exe --key account.key --csr mydomain.csr --csr-key mydomain.key --crt mydomain.crt --domains "www.dvoituron.com,dvoituron.com" --path D:\home\site\wwwroot\.well-known\acme-challenge\ --generate-missing --unlink --live

The –domains argument is very important and specifies the domain names validated by the certificate. The –path argument must be adapted according to the location where your website is hosted.

4. Convert the private key (KEY) and validated certificate (CRT) to the PFX format recognized by Microsoft (IIS and Azure).

openssl pkcs12 -export -out mydomain.pfx -inkey mydomain.key -in mydomain.crt -passout pass:MyPassword

Adapt the MyPassword with your personal password.

5. Install the certificate validated by the CA, in your web server.

Download the previously generated PFX file: http://mydomain.com/.well-known/acme-challenge/mydomain.pfx

And, import it into the Azure portal and bind it to your hosts (SSL Type = SNI).


The renewal procedure is similar. Just add the parameters –renew 10 –issue-code 100 to the command LE.EXE; and export the certificate in a PFX format to re-import it into Azure (see https://zerossl.com/usage.html).

This procedure can be automated. See the article by Benoît Sautière.



Follow me

Recent posts