demo-java
- this is sample SpringBoot application (war packaged) that runs in App Service and invokes HTTPS api
with self signed server certificate. Certificate trust stores are set Java applications using settings such as
-Djavax.net.ssl.trustStore=/path/to/store
-Djavax.net.ssl.trustStoreType=JKS|PKCS12|Windows-MY|Windows-ROOT
- In App Service Environment (Windows) upload certificate in the
WebApp > SSL Settings > Public certificate
- Set Java application to use
Windows-ROOT
windows certificate store. AddJAVA_OPS
environment variable to set this setting for Java process
JAVA_OPTS=-Djavax.net.ssl.trustStoreType=Windows-ROOT
For details on deployment see example in pom.xml
-
As per ASE docs set
WEBSITE_LOAD_ROOT_CERTIFICATES
Application Setting variable to comma delimited list of certificate thumbprints For details see example inpom.xml
All applications sharing same AppService Plan will have certificate available in LocalMachine root truststore -
Build and deploy
mvn clean package azure-webapp:deploy
demo-node
- sample express NodeJS application communicating to HTTPS api with self signed server certificate
To enable node reading Windows cert store instead of environment variable, use win-ca
module https://github.com/ukoloff/win-ca, it relies internally on native crypto32.dll
api to fetch Root CAs from Windows' store (Trusted Root Certification Authorities) and make them available to Node.js application with minimal efforts.
include in application code
let ca = require('win-ca')
Certificates will be deduplicated and installed to https.globalAgent.options.ca so they are automatically used for all requests with Node.js' https module. (you could see them as well in node-modules\win-ca\pem)
To run Node.JS on Azure AppService:
-
As per ASE docs set
WEBSITE_LOAD_ROOT_CERTIFICATES
Application Setting variable to comma delimited list of certificate thumbprints -
Set Application Settings variable
WEBSITE_NODE_DEFAULT_VERSION
to required NodeJs version (runaz webapp list runtimes
to see supported versions) -
Important! Set Platform to
64bit
-
Upload application zip along (not including
node_modules
) via Kudu https://scm.site/ZipDeployUI or connecting to git -
Start the app
-
Resulting deployment should be able to establish communication
Node also allows application to extend it's default certificate store by providing NODE_EXTRA_CA_CERTS
env variable
NODE_EXTRA_CA_CERTS=/path/to/pem
or in package.json
"start": "ENV NODE_EXTRA_CA_CERTS=/path/to/pem node app.js"
To run Node.JS on Azure AppService with tls setting:
-
Set Application Settings variable
NODE_EXTRA_CA_CERTS
with absolute path to certificate (e.g D:\home\site\wwwroot\server-ca.cer) -
Resulting deployment should be able to establish communication
Notes:
Node application on Azure App Service is hosted using iisnode
httpModule, with most of configuration setup in web.config
Kudu magic for iisnode
Open Powershell in Kudu
set-location cert:\LocalMachine\My
get-childitem
Azure App Service requires certificate with extension Server Authentication
To create such certificate sample config file certs\cert_config
openssl req -x509 -config cert_config -extensions 'my server exts' -nodes \
-days 365 -newkey rsa:2048 -keyout myserver.key -out myserver.pem
openssl pkcs12 -export -in myserver.pem -inkey myserver.key -out myserver.pfx