I developed an Azure Function which is timer triggered. For this I created a self-signed certification :
New-SelfSignedCertificate -certstorelocation cert:localmachinemy -dnsname "SP Az Func 3"
$pwd =ConvertT-SecureString -String "**************" -Force -AsPlainText
Export-PfxCertificate -cert cert:localMachinemyEB7D9E53BA1DF88AEDE1EA8CA3488CD794E0A9E9 -FilePath "c:SPAzFunc2.pfx" -Password $pwd
Export-Certificate -cert cert:localMachinemyEB7D9E53BA1DF88AEDE1EA8CA3488CD794E0A9E9 -FilePath "c:SPAzFunc2.crt"
Can I use this self-sign certificate to run our azure function on production? If not, then how we can gain/buy .pfx and .crt from authorized resources and provide a password, as we do in the self-signed certificate?
Thanks
2
Answers
The youtube video you mentioned already describes HOW you can use a certificate with Azure Functions. For others, the most important part is also documented as "Use a TLS/SSL certificate in your code in Azure App Service".
So your actual question is "Can I use self-signed certificates for AAD application authentication in production?".
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-self-signed-certificate
It is definitely technically possible to use self-signed certificates in production. It might also be fine for your use case. However, it depends on your level of confidence that the solution is sufficient for your use case (business requirements etc.). Nobody is going to give you a blank recommendation except "when in doubt – buy a certificate".
Anything further and especially "how do I buy a client certificate?" does not belong on StackOverflow. Maybe you could ask this question on ServerFault – or rather use the search function there first.
A lot of Azure and non-Azure services require the
.pfxto have a password, otherwise it might not work or or it might not even allow upload without a password. For example, all of the Azure services where you can upload apfx, you always need to provide a password. If you don’t have one – it will fail.How to Configure password for
.pfx1.Right-click on the
pfxfile and choose Install PFX2.Choose Local Machine and click Next
3.On the next wizard you don’t have to change anything so proceed with Next
4.On the Private key protection wizard leave the password empty and check the "Mark this key as exportable". Click Next.
5.On the Certificate Store wizard just leave it as Automatically select the certificate store and click Next. Finish on the last one. You should get "Import Successful".
6.Now we need to export the certificate but this time with a password. We need to browse the machine’s certificate store to initialize this.
[Open Run (
Windows+R)and typemmc]7.On the MMC console, go to File -> Add/Remove Snap-in or
Ctrl+M. Select Certificates and click Add in the middle. You will be asked My User/Service or Computer account. Choose Computer and click Next.8.Leave everything default on the next one (Local computer: (the computer this console is running on)) and click Finish.
9.Click OK on the Console Snap-in
10.Now expand the Certificates (Local Computer) then expand Personal and choose Certificates Find the certificate you just imported and right-click it -> All Tasks -> Export…
11.The Export wizard starts. Click Next on the first window >Then choose Yes, export the private key and click Next.
12.On the Export File Format make sure that everything except "Delete the private key if the export is successful" is checked and that this isn’t. Click Next.
13.Here you can choose a password for the pfx file. Make sure to check the Password checkbox and type your desired password. Leave the Encryption as TripleDES-SHA1 > Click Next; Choose where to save the new
.pfxfile by clicking Browse14.Click Finish and you should get "The export was successful" message.
That’s it. You now have an exported copy of the App Service Certificate in a
.pfxformat and with a password ready to be used anywhere you want.