Tutorial: Configure HTTPS on an Azure CDN custom domain

  • Article
  • 13 minutes to read

This tutorial shows how to enable the HTTPS protocol for a custom domain that's associated with an Azure CDN endpoint.

The HTTPS protocol on your custom domain (for instance, https://www.contoso.com), ensures your sensitive data is delivered securely via TLS/SSL. When your web browser is continued via HTTPS, the browser validates the web site's certificate. The browser verifies information technology'southward issued past a legitimate certificate authority. This process provides security and protects your web applications from attacks.

Azure CDN supports HTTPS on a CDN endpoint hostname, past default. For example, if you create a CDN endpoint (such as https://contoso.azureedge.net), HTTPS is automatically enabled.

Some of the central attributes of the custom HTTPS feature are:

  • No actress cost: In that location aren't costs for certificate acquisition or renewal and no extra price for HTTPS traffic. You pay but for GB egress from the CDN.

  • Simple enablement: One-click provisioning is available from the Azure portal. You can too apply REST API or other developer tools to enable the feature.

  • Consummate certificate management is bachelor:

    • All certificate procurement and management is handled for you.
    • Certificates are automatically provisioned and renewed before expiration.

In this tutorial, you acquire how to:

  • Enable the HTTPS protocol on your custom domain.
  • Use a CDN-managed certificate
  • Use your own document
  • Validate the domain
  • Disable the HTTPS protocol on your custom domain.

Prerequisites

Before you can consummate the steps in this tutorial, create a CDN profile and at to the lowest degree i CDN endpoint. For more information, run into Quickstart: Create an Azure CDN profile and endpoint.

Associate an Azure CDN custom domain on your CDN endpoint. For more than information, see Tutorial: Add a custom domain to your Azure CDN endpoint.

Important

CDN-managed certificates are not bachelor for root or apex domains. If your Azure CDN custom domain is a root or apex domain, you lot must utilize the Bring your own certificate feature.

TLS/SSL certificates

To enable HTTPS on an Azure CDN custom domain, yous utilize a TLS/SSL certificate. You choose to use a certificate that is managed by Azure CDN or use your certificate.

  • Option 1 (default): Enable HTTPS with a CDN-managed certificate
  • Option ii: Enable HTTPS with your ain certificate

Azure CDN handles certificate management tasks such as procurement and renewal. After you enable the feature, the process starts immediately.

If the custom domain is already mapped to the CDN endpoint, no further action is needed. Azure CDN will process the steps and complete your asking automatically.

If your custom domain is mapped elsewhere, use electronic mail to validate your domain ownership.

To enable HTTPS on a custom domain, follow these steps:

  1. Go to the Azure portal to find a certificate managed by your Azure CDN. Search for and select CDN profiles.

  2. Cull your profile:

    • Azure CDN Standard from Microsoft
    • Azure CDN Standard from Akamai
    • Azure CDN Standard from Verizon
    • Azure CDN Premium from Verizon

  3. In the list of CDN endpoints, select the endpoint containing your custom domain.

    Endpoints list

    The Endpoint page appears.

  4. In the list of custom domains, select the custom domain for which y'all want to enable HTTPS.

    Screenshot shows the Custom domain page with the option to Use my own certificate.

    The Custom domain page appears.

  5. Nether Certificate management type, select CDN managed.

  6. Select On to enable HTTPS.

    Custom domain HTTPS status

  7. Continue to Validate the domain.

Validate the domain

If yous have a custom domain in use mapped to your custom endpoint with a CNAME record or you're using your ain certificate, continue to Custom domain mapped to your CDN endpoint.

Otherwise, if the CNAME record entry for your endpoint no longer exists or it contains the cdnverify subdomain, proceed to Custom domain not mapped to your CDN endpoint.

Custom domain is mapped to your CDN endpoint past a CNAME record

When yous added a custom domain to your endpoint, you created a CNAME record in the DNS domain registrar mapped to your CDN endpoint hostname.

If that CNAME record even so exists and doesn't contain the cdnverify subdomain, the DigiCert CA uses it to automatically validate ownership of your custom domain.

If you're using your own document, domain validation isn't required.

Your CNAME record should be in the following format:

  • Name is your custom domain name.
  • Value is your CDN endpoint hostname.
Name Blazon Value
<www.contoso.com> CNAME contoso.azureedge.net

For more information most CNAME records, run into Create the CNAME DNS record.

If your CNAME record is in the correct format, DigiCert automatically verifies your custom domain name and creates a document for your domain. DigitCert won't send yous a verification email and y'all won't need to approve your request. The document is valid for one year and volition exist autorenewed before it expires. Proceed to Wait for propagation.

Automatic validation typically takes a few hours. If yous don't see your domain validated in 24 hours, open a support ticket.

Note

If you lot take a Certificate Authority Authorization (CAA) record with your DNS provider, it must include DigiCert every bit a valid CA. A CAA record allows domain owners to specify with their DNS providers which CAs are authorized to result certificates for their domain. If a CA receives an guild for a certificate for a domain that has a CAA record and that CA is not listed as an authorized issuer, it is prohibited from issuing the certificate to that domain or subdomain. For information about managing CAA records, encounter Manage CAA records. For a CAA record tool, come across CAA Record Helper.

Custom domain isn't mapped to your CDN endpoint

Note

If you are using Azure CDN from Akamai, the following CNAME should be set up up to enable automatic domain validation. "_acme-challenge.<custom domain hostname> -> CNAME -> <custom domain hostname>.ak-peak-challenge.azureedge.internet"

If the CNAME tape entry contains the cdnverify subdomain, follow the remainder of the instructions in this footstep.

DigiCert sends a verification email to the post-obit email addresses. Verify that you can approve directly from one of the post-obit addresses:

  • admin@your-domain-proper name.com
  • administrator@your-domain-proper name.com
  • webmaster@your-domain-name.com
  • hostmaster@your-domain-name.com
  • postmaster@your-domain-name.com

You should receive an email in a few minutes for you to corroborate the request. In example you're using a spam filter, add together verification@digicert.com to its allowlist. If you don't receive an electronic mail within 24 hours, contact Microsoft support.

Domain validation email

When you select the approving link, you're directed to the following online approval class:

Domain validation form

Follow the instructions on the form; you have two verification options:

  • You tin corroborate all hereafter orders placed through the same account for the same root domain; for instance, contoso.com. This approach is recommended if you lot plan to add other custom domains for the same root domain.

  • Y'all tin approve just the specific host proper name used in this request. Another approval is required for afterward requests.

Later approval, DigiCert completes the certificate creation for your custom domain name. The certificate is valid for one twelvemonth and will be autorenewed before it'south expired.

Look for propagation

After the domain name is validated, it tin take upwardly to 6-eight hours for the custom domain HTTPS characteristic to be activated. When the process completes, the custom HTTPS status in the Azure portal is changed to Enabled. The 4 operation steps in the custom domain dialog are marked every bit complete. Your custom domain is now fix to use HTTPS.

Enable HTTPS dialog

Operation progress

The following table shows the operation progress that occurs when you enable HTTPS. After yous enable HTTPS, four operation steps appear in the custom domain dialog. As each pace becomes active, other substep details appear under the stride as it progresses. Not all of these substeps will occur. After a step successfully completes, a light-green check mark appears next to information technology.

Operation step Operation substep details
1 Submitting request Submitting request
Your HTTPS request is being submitted.
Your HTTPS request has been submitted successfully.
two Domain validation Domain is automatically validated if it'southward CNAME mapped to the CDN Endpoint. Otherwise, a verification request volition be sent to the e-mail listed in your domain's registration record (WHOIS registrant).
Your domain buying has been successfully validated.
Domain ownership validation asking expired (customer probable didn't respond within six days). HTTPS won't be enabled on your domain. *
Domain ownership validation asking was rejected by the customer. HTTPS won't be enabled on your domain. *
iii Document provisioning The certificate authority is currently issuing the certificate needed to enable HTTPS on your domain.
The certificate has been issued and is currently existence deployed to CDN network. This could take up to 6 hours.
The certificate has been successfully deployed to CDN network.
four Complete HTTPS has been successfully enabled on your domain.

* This message doesn't appear unless an error has occurred.

If an error occurs earlier the request is submitted, the post-obit mistake message is displayed:

We encountered an unexpected mistake while processing your HTTPS request. Please attempt again and contact support if the issue persists.

Clean up resources - disable HTTPS

In this section, you learn how to disable HTTPS for your custom domain.

Disable the HTTPS feature

  1. In the Azure portal, search for and select CDN profiles.

  2. Choose your Azure CDN Standard from Microsoft, Azure CDN Standard from Verizon, or Azure CDN Premium from Verizon profile.

  3. In the list of endpoints, pick the endpoint containing your custom domain.

  4. Choose the custom domain for which you want to disable HTTPS.

    Custom domains list

  5. Choose Off to disable HTTPS, then select Employ.

    Custom HTTPS dialog

Look for propagation

After the custom domain HTTPS feature is disabled, it can take upward to vi-8 hours for it to take issue. When the process is complete, the custom HTTPS status in the Azure portal is changed to Disabled. The three functioning steps in the custom domain dialog are marked every bit complete. Your custom domain can no longer employ HTTPS.

Disable HTTPS dialog

Performance progress

The post-obit tabular array shows the functioning progress that occurs when you lot disable HTTPS. After you disable HTTPS, iii operation steps appear in the custom domain dialog. When a step becomes active, details appear nether the step. Afterward a step successfully completes, a greenish check marking appears next to information technology.

Performance progress Operation details
i Submitting request Submitting your asking
2 Document deprovisioning Deleting certificate
3 Complete Certificate deleted

Frequently asked questions

  1. Who is the certificate provider and what type of certificate is used?

    A dedicated document provided by Digicert is used for your custom domain for:

    • Azure CDN from Verizon
    • Azure CDN from Microsoft

  2. Practice you utilise IP-based or SNI TLS/SSL?

    Both Azure CDN from Verizon and Azure CDN Standard from Microsoft employ SNI TLS/SSL.

  3. What if I don't receive the domain verification email from DigiCert?

    If you aren't using the cdnverify subdomain and your CNAME entry is for your endpoint hostname, you lot won't receive a domain verification email.

    Validation occurs automatically. Otherwise, if y'all don't take a CNAME entry and you lot haven't received an email inside 24 hours, contact Microsoft support.

  4. Is using a SAN document less secure than a dedicated document?

    A SAN certificate follows the aforementioned encryption and security standards as a dedicated certificate. All issued TLS/SSL certificates apply SHA-256 for enhanced server security.

  5. Exercise I need a Certificate Authority Authorization tape with my DNS provider?

    Certificate Dominance Authorisation record isn't currently required. However, if you practice accept one, it must include DigiCert as a valid CA.

  6. On June twenty, 2018, Azure CDN from Verizon started using a dedicated certificate with SNI TLS/SSL past default. What happens to my existing custom domains using Subject Culling Names (SAN) certificate and IP-based TLS/SSL?

    Your existing domains will exist gradually migrated to single certificate in the upcoming months if Microsoft analyzes that only SNI client requests are made to your application.

    If non-SNI clients are detected, your domains stay in the SAN certificate with IP-based TLS/SSL. Requests to your service or clients that are non-SNI, are unaffected.

  7. How do cert renewals work with Bring Your Own Certificate?

    To ensure a newer document is deployed to PoP infrastructure, upload your new document to Azure KeyVault. In your TLS settings on Azure CDN, cull the newest certificate version and select save. Azure CDN volition and then propagate your new updated cert.

  8. Practice I need to re-enable HTTPS after the endpoint restarts?

    Aye. If you're using Azure CDN from Akamai, if the endpoint stops and restarts, y'all must re-enable the HTTPS setting if the setting was agile before.

Next steps

In this tutorial, y'all learned how to:

  • Enable the HTTPS protocol on your custom domain.
  • Utilize a CDN-managed certificate
  • Employ your own certificate
  • Validate the domain.
  • Disable the HTTPS protocol on your custom domain.

Advance to the next tutorial to acquire how to configure caching on your CDN endpoint.