Exporting Azure SSL Certificates

Azure allows you to purchase/manage SSL certificates through the Azure portal.  The service is call App Service Certificates.  However, the portal only accommodates using the SSL cert for other Azure Apps.  The following will explain the steps required to export SSL certificates from the Azure App Service Certificates, so you can use it in your own web app.  For reasons beyond my knowledge, Azure does not make this straight forward!

Firstly you will need access to PowerShell.  Ensure the AzureRM Module has been installed.  You can install AzureRM in PowerShell using the following commands (NOTE: for Windows users you may have to run PowerShell as administrator):

  • Install-Module -Name AzureRM -AllowClobber

You will be warned about an untrusted repository.  Just press “yes” or “yes to all”.  Once the install has completed, load the AzureRM module into your PowerShell session:

  • Import-Module -Name AzureRM

That’s AzureRM installed.  Should you require more information regarding installing AzureRM, you can see a full tutorial here.

The next step is completely documented in this blog.  It will take you through the steps required to export the SSL cert in PFX format.  It is very well explained so there’s no point in me rewriting it.  When you have the PFX file created/downloaded, come back here for the next step on converting it to PEM format.  Remember to take note of the PFX password after generating the PFX file  (it is displayed at the end of the PowerShell output).

The next step is to use OpenSSL to convert PFX to PEM.  There is an issue here where you have to include the password in the OpenSSL command line.  The conversion would fail when we tried without the password.  OpenSSL would prompt for the password, which we would enter, but would then fail giving the following error message – “Mac verify error: invalid password?”.  This may not be the case for everyone, but it consistently happened for a couple of users here.

The following is the OpenSSL command that will work successfully:

  • openssl pkcs12 -in appservicecertificate.pfx -out pkey_cert.pem -nodes -password pass:{INSERT_PFX_PASSWORD_HERE}

NOTE: For Windows users, best to use Git Bash for OpenSSL and wrap the command with winpty:

  • winpty openssl.exe pkcs12 -in appservicecertificate.pfx -out pkey_cert.pem -nodes -password pass:{INSERT_PFX_PASSWORD_HERE}

That should do it.  You should now have a pem file that you can use in your web apps outside of Azure.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.