Typically, the most costly - and frankly most misunderstood - part of deploying a website these days involves the setting up of a Secure Socket Layer/Transport Layer Security (SSL/TLS) certificate for your website. Previously, you would want to deploy these out if your site involves any form of secure authentication or the entering of personal data. This requirement is necessary because a certificate verifies that the website is real, has not been compromised or has a dubious origin. These days, for anyone chasing search engine rankings or wanting to get rid of any pesky Not Secure messages within your web browser window, getting a full grasp on procuring an SSL/TLS certificate becomes a mandatory requirement in ensuring your website receives appropriate attention via the globes largest search engine. The problem is, though, that these certificates cost money - anywhere up to hundreds of £’s in some cases. For situations where you need to suppress any Not Secure messages within your browser window, this seems like an unnecessary cost for something that should, in my view, come as standard when hosting your website.
With all this in mind, I was pleased to find out this week about a new preview feature for App Service plans - the ability to set up a managed TLS certificate, at no extra charge. Long overdue in many people’s minds, I am sure, this represents a positive step forward in allowing customers to reduce their costs and meet their limited objectives when maintaining a commercial website. It’s also effortless to set up, which ticks a massive box in my book.
As the above article provides excellent setup instructions for this new feature, I wanted the focus of today’s post to be on highlighting the key points relating to this feature, so you can quickly analyse whether this is something that you wish to put in place for your current Azure websites
-
Any certificates generated will be valid for six months at the time of issue. Microsoft will automatically renew and apply a new version of the certificate when it is close to expiring.
-
Digicert issues all certificates and they are secured using a SHA265 signature hash algorithm.
-
Microsoft provides no environment restrictions for its usage; this, therefore, means you can freely set a managed certificate up for your development, testing and production sites.
-
This feature does not support wildcard certificates or naked domains (e.g. www.mydomain.com or test.mydomain.com are allowed, but mydomain.com is not).
-
Microsoft does not automatically bind the certificate to your domain after being generated; you must still do this manually.
-
The feature is not available on the Free or Shared tier plans.
-
You cannot export the certificate after generating.
-
At the time of writing, there does not appear to be any PowerShell cmdlets or Resource Manager template samples available relating to this feature. Expect these to be available in due course.
-
The feature is only compatible with custom domains that have been configured using a CNAME record. Attempting to secure a domain setup via an A record will produce the following error message:
-
Remember as part of all this that the feature is in preview. It may be subject to change or removal. Therefore, I would caution against its use within production environments.
Conclusions or Wot I Think
Providing potential customers of your organisation assurance that your website is secure when, for example, they are submitting their contact details to you is of paramount importance. Unfortunately, Google’s and other web providers enforcement of more stricter requirements in this area, while laudable, has I think caught a lot of organisations out and also introduced unnecessary costs and confusion into the mix. Clearly, if you are a huge multi-national corporation processing financial transactions, then a more expensive SSL/TLS certificate will be desirable; but less so if you are a small company with a basic contact form on your home page. The fact that Microsoft is now following the lead of other hosting providers, in giving their customers a free, “no-strings-attached” TLS certificate, is a positive step forward and an important step towards securing all websites on the web today. Also, organisations can then leverage this for the benefit of their customers, internet search rankings and - perhaps most importantly - their yearly IT budgets. 🙂