This application automates the issuance and renewal of ACME SSL/TLS certificates. The certificates are stored inside Azure Key Vault. Many Azure services such as Azure App Service, Application Gateway, CDN, etc. are able to import certificates directly from Key Vault.

We have started to address the following requirements:

• Use the Azure Key Vault to store SSL/TLS certificates securely
• Centralize management of a large number of certificates using a single Key Vault
• Easy to deploy and configure solution
• Highly reliable implementation
• Ease of Monitoring (Application Insights, Webhook)

Key Vault allows for secure and centralized management of ACME certificates.

• Feature Support
• Requirements
• Getting Started
• Usage
• Frequently Asked Questions
• Thanks
• License

• All Azure App Services (Web Apps / Functions / Containers, regardless of OS)
• Azure CDN and Front Door
• Azure Application Gateway v2
• Issuing certificates with SANs (subject alternative names) (one certificate for multiple domains)
• Issuing certificates and wildcard certificates for Zone Apex domains
• Automated certificate renewal
• ACME-compliant Certification Authorities
  • Let's Encrypt
  • Buypass Go SSL
  • ZeroSSL (Requires EAB Credentials)

You will need the following:

• Azure Subscription (required to deploy this solution)
• Azure Key Vault (existing one or new Key Vault can be created at deployment time)
• DNS provider (required to host your public DNS zone)
• Email address (required to register with ACME)

For Azure Cloud

For Azure China

For Azure Government

Update the following configuration settings of the Function App:

• Acmebot:VaultBaseUrl
  • DNS name of the Azure Key Vault (if you are using an existing Key Vault)
• Acmebot:Webhook
  • Webhook destination URL (optional, Slack and Microsoft Teams are recommended)
  • Message will be sent when the process succeeds or fails

There are also additional settings that will be automatically created by Key Vault Acmebot:

• Acmebot:Endpoint
  • The ACME endpoint used to issue certificates
• Acmebot:Contacts
  • The email address (required) used in ACME account registration

For instructions on how to configure each DNS provider, please refer to the following page.

https://github.com/shibayan/keyvault-acmebot/wiki/DNS-Provider-Configuration

• Amazon Route 53
• Azure DNS
• Cloudflare
• DNS Made Easy
• GoDaddy
• Google Cloud DNS
• GratisDNS
• TransIP DNS

You must enable Authentication on the Function App that is deployed as part of this application.

In the Azure Portal, open the Function blade then select the Authentication menu and enable App Service authentication. Click on the Add identity provider button to display the screen for adding a new identity provider. If you select Microsoft as your Identity provider, the required settings will be automatically filled in for you. The default settings are fine.

Make sure that the App Service Authentication setting is set to Require authentication. The permissions can basically be left at the default settings.

If you are using Sovereign Cloud, you may not be able to select Express. Enable authentication from the advanced settings with reference to the following document.

https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad#-configure-with-advanced-settings

Finally, you can save your previous settings to enable App Service authentication.

Open the access policy of the Key Vault and add the Certificate management access policy for the deployed application.

Access https://YOUR-FUNCTIONS.azurewebsites.net/add-certificate with a browser and authenticate with Azure Active Directory and the Web UI will be displayed. Select the target domain from that screen, add the required subdomains, and run, and after a few tens of seconds, the certificate will be issued.

If the Access Control (IAM) setting is not correct, nothing will be shown in the drop-down list.

All existing ACME certificates are automatically renewed 30 days before their expiration.

The default check timing is 00:00 UTC. If you need to change the time zone, use WEBSITE_TIME_ZONE to set the time zone.

You can import the Key Vault certificate to the App Service by opening the TLS/SSL Settings from Azure Portal and selecting the Import Key Vault Certificate button from the Private Key Certificate (.pfx).

After importing, the App Service will automatically check for certificate updates.

• https://docs.microsoft.com/en-us/azure/application-gateway/key-vault-certs

Azure CDN / Front Door will now automatically deploy the latest version of the certificate when the Key Vault certificate is updated. Selecting Latest as the Key Vault certificate version will automatically update it.

• https://docs.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-2-enable-https-with-your-own-certificate
• https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https#option-2-use-your-own-certificate

• https://docs.microsoft.com/en-us/azure/api-management/configure-custom-domain

The issued certificate can be downloaded from Key Vault and used elsewhere, either in Azure or outside Azure.

To Remove a certificate from the system delete it from the Key Vault. Key Vault Acmebot will no longer renew the certificate.

To Reinstall or Upgrade Key Vault Acmebot without removing your certificates, ensure that the Key Vault is not removed. Key Vault Acmebot will use the exisiting certificates and vault after upgrade or reinstall

• ACMESharp Core by @ebekker
• Durable Functions by @cgillum and contributors
• DnsClient.NET by @MichaCo

This project is licensed under the Apache License 2.0