Creating an Azure Active Directory application for Let’s Encrypt in Azure App

Hello guys,

I recently found out, thanks to my buddy Emmanuel, that Google held some references to my blog posts over HTTPS.
But, prior to 12/20/2016 where I get noticed of the issue, the blog was not using HTTPS at all. The displayed certificat was the one fromAzure Websites, as my blog is an Azure App.

I was using HTTP for a simple reason, I did not want to spend a dime in buying a public trusted SSL certificate. But I had in mind to test one day or another the little project that might allow me to have a free public trusted SSL certificate using Let’s encrypt service.

To solve this issue, that was affecting the reputation of the blog in search engines, I decided to move from the back of my head the little project to test “Let’s Encrypt as a Service” in Azure.

Here is the first part of my trip to deploy a Let’s Encrypt certificate for Azure App blog.

First of all it is required to create an Azure Active Directory application. There for we need to set some PowerShell variables to facilitate our work here.
To create an Azure Active Directory application using Azure RM we need the following parameters:

  • The HomePage: I decided to use the blog home page, but you can set anything here;
  • A password: I used an home made function to generate random password, you may want to set something that you will remember for at least the couple of minutes until the Let’s Encrypt setup is finished.

[ps]
$uri = ‘http://blog.prudhomme.wtf’
$password = New-RandomPassword
[/ps]

Once the variables are set we can proceed with the Azure RM Application creation.
We are using the New-AzureRmADApplication cmdlet provided by the AzureRM PowerShell module. You can install the module using a PowerShell Host at least version 5 and running at Administrator level with the following PowerShell line:

[ps]Install-Module AzureRM[/ps]

Once connected to your Azure tenant, use the following PowerShell line to create the Azure Active Directory application:

[ps]$app = New-AzureRmADApplication -DisplayName ‘LetsEncrypt’ -HomePage $uri -IdentifierUris $uri -Password $password[/ps]

We also need to create a Service Principal in the Azure Active Directory tenant for the application. The Service principal in Azure Active Directory will permit use to give some permissions in the Azure Active Directory tenant to our application. Therefor we use the following PowerShell line to create the Service Principal for our Azure AD Application:

[ps]New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId[/ps]

Now we have the Azure AD Application and the Service Principal in Azure AD created. We need to add our Azure AD application Service Principal into a role assignment of our Azure AD. We simply need to add the Service Principal role ‘Contributor’ for the Let’s Encrypt purpose, to do so we need to run the following PowerShell line:

[ps]New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $app.ApplicationId[/ps]

We have now finished the Azure AD setup required to install Let’s Encrypt in an Azure App. In the next posts we will see how to add the extension into an existing Azure App and how to finish the Let’s Encrypt in Azure App setup.