Using Azure App Service Certificate for Apache on an Ubuntu VM

Posted by Quinn Madson | Posted in | Posted on 3:07 PM


The process of getting my Azure cert to work on an Azure VM seems needlessly complicated and took forever to figure out so, I'm documenting it here. The Powershell script provided by Microsoft produces a console screen full of red errors. I debugged some of them but, never could get the thing to work.

Azure Key Prep

  • Login to
  • Search for the KeyVault that contains your App Service Certificate and open it.
    • Under Settings, go to Secrets
    • Open the certificate
    • Open the Current Version
    • Click 'Download as a certificate' to download your PFX file.
  • Download and install Win32 OpenSSL Light:
  • To extract the private key from a .pfx file, run the following OpenSSL command: 
    • openssl.exe pkcs12 -in myAzureKeyVault.pfx -nocerts -out privateKey.pem
  • The private key that you have extracted is encrypted. To decrypt: 
    • openssl.exe rsa -in privateKey.pem -out server.key
  • To get the corresponding Server Certificate: 
    • openssl.exe pkcs12 -in myAzureKeyVault.pfx -clcerts -nokeys -out server.pem

Apache Setup

  • SCP your certs to your VM:
    • /etc/ssl/certs/server.pem
    • /etc/ssl/private/server.key
  • SSH into your VM:
    • sudo a2enmod ssl
    • cd /etc/apache2/sites-available
    • sudo cp default-ssl.conf 000-default-ssl.conf
    • sudo vi 000-default-ssl.conf
      •  SSLCertificateFile      /etc/ssl/certs/server.pem
      •  SSLCertificateKeyFile /etc/ssl/private/server.key
      • (Configure ServerAdmin, Document Root and any other Apache directives you need.)
    • sudo a2ensite 000-default-ssl
    • sudo /etc/init.d/apache2 restart
  • In the Azure Portal, open your VM and go to: Settings >> Networking >> Inbound Port Rules >> Add Inbound Port Rule
    • Source: Any
    • Source port ranges: *
    • Destination: Any
    • Destination port ranges: 443
That should be all you need to get it up and running.

Comments (0)