In this article we will create an ARM template that will deploy a web certificate to an Azure resource group and output the certificate thumbprint.
Adding an SSL certificate to an app with Azure App Service can be achieved via the Azure portal. When selecting SSL certificates in an App Service then Upload Certificate, you can upload a PFX Certificate File with the associated Certificate password. The certificate will then be added to the resource group and will be available to create a binding with the application.
In today’s article we will discover how to manage this operation via an Azure Resource Manager template. Our ARM template will be created in a new Azure Resource Group deployment project in Visual Studio.
Creation
Let’s declare the parameters of the ARM template:
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "certificatePrefixName": {
      "type": "string"
    },
    "certificatePfxBase64": {
      "type": "securestring"
    },
    "certificatePfxPassword": {
      "type": "securestring"
    }
  }
  ...
}- certificatePrefixName: a prefix for the certificate name such as the domain name associated to the certificate.
- certificatePfxBase64: the certificate PFX file bytes converted to a base64 string.
- certificatePfxPassword: the password associated with the certificate.
Now we will declare the resources of the ARM template:
{
  ...
  "variables": {
    "certificateName": "[concat(parameters('certificatePrefixName'), uniqueString(resourceGroup().id))]"
  },
  "resources": [
    {
      "apiVersion": "2015-08-01",
      "name": "[variables('certificateName')]",
      "type": "Microsoft.Web/certificates",
      "location": "[resourceGroup().location]",
      "properties": {
        "pfxBlob": "[parameters('certificatePfxBase64')]",
        "password": "[parameters('certificatePfxPassword')]"
      },
      "tags": {
        "displayName": "Certificate"
      }
    }
  ]
  ...
}We can pay attention to two things here:
- The certificate name is the concatenation of the prefix name and a unique string based on the resource group id. Depending on your needs you can adapt it.
- The certificate is declared with the following type: Microsoft.Web/certificates.
And to finish we will output the certificate thumbprint:
{
  ...
  "outputs": {
    "certificateThumbprint": {
      "type": "string",
      "value": "[reference(resourceId('Microsoft.Web/certificates', variables('certificateName')), providers('Microsoft.Web', 'certificates').apiVersions[0]).thumbprint]"
    }
  }
}As you can notice, we take advantage of the ARM template function providers. This function is useful to get the latest API version for a specific namespace.
Example of use
The ARM template is now ready, let’s open a Windows PowerShell and try it:
.\Deploy-AzureResourceGroup.ps1 -ResourceGroupName 'MyResourceGroupName' -ResourceGroupLocation 'canadaeast' -TemplateFile '.\azuredeploy.json'
...
OutputsString      :
                     Name                   Type                       Value
                     ===============        =========================  ==========
                     certificateThumbprint  String                     22XXBE10XXE5D2DBAD29DXXXX75510583XXXXXE2If everything goes well, you should see the same kind of message as above.
To go further
In the template you need the certificate PFX file bytes converted to a base 64 string. Here is a simple PowerShell script that will take the file path of a PFX file and output it as base64 string in a file:
Param([string] $pfxFilePath)
$pfxFileBytes = get-content $pfxFilePath -Encoding Byte
[System.Convert]::ToBase64String($pfxFileBytes) | Out-File 'PfxFileBytes-Base64.txt'
Summary
We have seen how to create an ARM template that will deploy a web certificate to an Azure resource group and output the certificate thumbprint.
You can download the example solution here:
Or
Browse the GitHub repository
Please feel free to comment or contact me if you have any question about this article.
One reply on “Deploying a web certificate with ARM template to an Azure resource group and retrieving certificate thumbprint”
Very succinct and super helpful.
I just ran into the need to do exactly this and this article proved super useful, even six years later.
Cheers!