How to update Azure Web App TLS/SSL bindings in bulk using PowerShell

If you have an Azure Web App with multiple custom domains and you want to enable TLS (Transport Layer Security), you’ll need to add a TLS/SSL certificate binding for each hostname.

These bindings can be configured individually via the Azure Portal web interface. However, if the number of hostnames is large, updating the TLS/SSL binding for each hostname one at a time can be quite a chore.

TLS/SSL certificates that are purchased from a certificate authority, or from a reputable reseller, will usually expire after one year. After this, a new certificate must be purchased, uploaded to the cloud, and assigned to each hostname.

This article documents how to replace the manual process of updating TLS/SSL bindings via the Azure Portal with a PowerShell script that can automate the process instead.

Azure Portal

Before reviewing the PowerShell script, let’s take a quick look at how certificates and bindings are managed within the Azure Portal to help put things into context.

Private Key Certificates

TLS/SSL certificates that are purchased from a certificate authority/reseller need to be uploaded to Azure before they can be used for Web Apps, Function Apps, or any other type of Azure resource that supports TLS/SSL bindings.

The interface that allows certificates to be uploaded for an Azure Web App can be accessed by opening the Web App in the Azure Portal and selecting the ‘TLS/SSL settings’ link on the left-hand panel. After the TLS/SSL settings blade has loaded, select the ‘Private Key Certificates (.pfx)’ tab and then press the ‘Upload Certificate’ link.

The user interface should look similar to the screenshot below.

Add Private Key Certificate via Azure Portal
Add Private Key Certificate via Azure Portal

To add a certificate, you need to browse to and select the ‘PFX Certificate File’, enter the ‘Certificate password’, and then press the ‘Upload’ button.

Following this, the certificate will appear within the list of certificates under the ‘Private Key Certificates’ heading.

TLS/SSL Bindings

The TLS/SSL bindings for hostnames are also configured within the TLS/SSL settings section of the Azure Portal interface within the ‘Bindings’ tab.

When you click on a hostname within the list under the ‘TLS/SSL bindings’ heading you will be presented with a form that allows you to update the TLS/SSL Binding settings, as shown in the screenshot below.

Add TLS/SSL Binding via Azure Portal
Add TLS/SSL Binding via Azure Portal

Note that several elements from the above screenshot have been removed for privacy reasons.

If you already have a binding configured for the selected hostname you can usually leave all of the existing settings as they are, except for the ‘Private Certificate Thumbprint’ drop-down which should be updated by selecting the new certificate you previously uploaded.

After selecting the correct certificate, press the ‘Add Binding’ button to update the binding to the new certificate.

If you are updating the binding manually via the Azure Portal interface, you need to repeat the above steps for each hostname i.e. click on the next hostname in the list, select the new certificate, add the binding, and repeat.

This is a very tedious and time-consuming process which we will automate via a PowerShell script in the following section.

Azure PowerShell

PowerShell is a powerful scripting language that is very extensible and allows us to automate lots of tasks.

The Azure Az PowerShell module allows us to connect to an Azure account and interact with Azure resources programmatically.

Az module installation

Before we can connect to Azure via PowerShell we first need to install the Az module.

To do this, open up a PowerShell terminal and run the following command.

Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

The above command will install the Az module for the current user from the PSGallery (PowerShell Gallery) repository. It usually takes a few minutes for the installation process to complete.

Connecting to Azure

After installing the Az module, we need to connect to the required Azure account.

We can initiate this process by running the following PowerShell command.

Connect-AzAccount

After the above command has been executed, a dialog that looks like the screenshot below will be displayed.

Azure Account Sign In
Azure Account Sign In

When the above dialog appears, enter your email and password, followed by pressing the ‘Sign in’ button to complete the authentication process.

After connecting to the required Azure account, you can begin using the Az module cmdlets to interact with your Azure resources using PowerShell.

PowerShell script

The PowerShell script below can be used to programmatically update the TLS/SSL binding of every hostname for the specified Azure Web App. I recommend using the PowerShell ISE or Visual Studio Code (with the PowerShell extension) to create a PowerShell file containing the code below so that you can amend the script easily and save it for future use.

# Configure the certificate thumbprint, resource group, and web app name.
$certificateThumbprint = "9G2G2V30502FG33GFGD3HW64327KWJ10G5EKS02G"
$resourceGroupName     = "rg-my-resource-group"
$webAppName            = "as-my-web-app"
 
# Get the web app, based on its resource group and name.
$webApp = Get-AzWebApp -ResourceGroupName $resourceGroupName -Name $webAppName
 
# Update the TLS/SSL binding for every custom hostname.
foreach ($hostName in $webApp.HostNames)
{
    if ($hostName.EndsWith("azurewebsites.net"))
    {
        # Skip the default Azure hostname.
        continue
    }
    
    # Add/update the binding to the certificate with the specified thumbprint.
    New-AzWebAppSSLBinding `
        -ResourceGroupName $resourceGroupName `
        -WebAppName $webAppName `
        -Thumbprint $certificateThumbprint `
        -Name $hostName
    
    Write-Host "Updated binding for: $hostName"
}

Note that the value of the $certificateThumbprint variable above is a random string used for illustration purposes.

Before executing the script you will need to update the following three variables at the top of the code listing.

  • $certificateThumbprint
  • $resourceGroupName
  • $webAppName

The $certificateThumbprint variable should be set to the certificate thumbprint value shown within the TLS/SSL bindings listed on the Azure Portal. The $resourceGroupName and $webAppName variables should be set according to the name of the Azure Web App you want to update the bindings for and the name of the Resource Group which said Azure Web App is contained within.

Note that if you get an error message about ‘execution policy’ when you try to run the script, try running the command below to update your execution policy.

Set-ExecutionPolicy RemoteSigned

After setting the variables listed further above, the script uses the Get-AzWebApp cmdlet to get an PSSite object instance.

A foreach loop is then used to iterate through the strings contained within the HostNames property of the PSSite object. As the HostNames property contains the default Azure hostname for the site (e.g. as-my-web-app.azurewebsites.net) a check has been put in place to skip to the next hostname when this hostname is encountered.

The New-AzWebAppSSLBinding cmdlet is used to add a binding according to the specified Resource Group, Web App, thumbprint, and hostname. If a binding already exists for the hostname, it will be updated instead i.e. there’s no need to worry about accidentally creating duplicate bindings.

Lastly, after the New-AzWebAppSSLBinding cmdlet has been called, the Write-Host cmdlet outputs the hostname that the binding was updated for by way of reference.

I’m sure you’ll agree that this approach is much preferable compared to the manual process!

Summary

In this article, I have demonstrated how to use PowerShell in conjunction with the Azure Az PowerShell module to update TLS/SSL bindings for Azure Web Apps in bulk.

I started by documenting how the Azure Portal can be used to upload certificates and how you can add TLS/SSL bindings manually for each hostname that is assigned to an Azure Web App.

I then walked through how to install the Azure Az PowerShell module and connect to the required Azure account.

Finally, I provided the source code for a script that can access an Azure Web App and update each of its hostnames to use a new certificate binding without any manual work required.


I hope you enjoyed this post! Comments are always welcome and I respond to all questions.

If you like my content and it helped you out, please check out the button below 🙂

Comments