azurednsazure-virtual-networkazure-application-gatewayazure-dns

Digital Certificate CN Name and Hostname in App Service Listener


I am using a Digital Certificate and storing it in a KV. I have a front end web app behind a private endpoint. I want to associate a friendly name to the web app and use that name with an App Gateway, so that when people use the FQDN of the friendly name, it will be routed to the backend , which would be my *.azurewebsites.net. I have done SSL binding in the App Service for my front end web app and associated the custom domain that i am going to use. But when i click on Troubleshoot on the Web App Custom Domain tab, i get the attached message.enter image description here

I would like to know what would be the CN name in the digital certificate, does it need to be the same name or FQDN as the one in my custom domain? The certificate is associated fine and i have a TXT record and an A record also in my DNS zone. The A record is the subdomain which is "FE" which maps to the Public IP of my App GW


Solution

  • • You will have to create a ‘CNAME’ record to map the custom domain name used for your web app service to the ‘*.azurewebsites.net’ backend default link of that web app service. Also, you will have to create this CNAME record in your public DNS server from where you manage the custom domain’s DNS records. A ‘CNAME’ record is a type of DNS record that maps an alias name to a true or canonical domain name. CNAME records are typically used to map a subdomain such as ‘www’ or ‘mail’ to the domain hosting that subdomain's content.

    • Also, the ‘CN’, i.e., common name of the certificate that will be issued by you through Key vault should either be an SSL certificate solely for the web app service or a wildcard certificate for all the resources hosted under your custom domain name. If an SSL certificate is issued for the front-end FQDN, i.e., the web app service, then the CN would be the name of the web app service followed by custom domain. For example, .xyz.com, i.e., ‘taurus.zodiac.com’ where is the name of the web app service and the DNS suffix is the custom domain.

    Whereas if you use a wildcard certificate, the CN for it is ‘*. (Domain name).com’, i.e., ‘*.zodiac.com’. Thus, then it would be helpful to use that certificate for any resources that need to be authorized under that domain as it becomes multi-purpose. Please note that the FQDN of the web app service will be ‘(web app service name).(your custom domain name).com’, i.e., ‘taurus.zodiac.com’ as said earlier or it could be ‘(web app service name).(your subdomain name).(your custom domain name).com’ as stated in the question, you have an ‘A’ record created for the subdomain in the public DNS Server. Thus, you will have to create a ‘CNAME’ record for the above stated front-end FQDN of the web app service and map it to default ‘*.azurewebsites.net’ FQDN of the web app service in the backend.