Generating a PFX TLS Certificate using GoDaddy

Overview

On the web, the Hyper Text Transfer Protocol (HTTP) has been the primary protocol for requesting and delivering hypermedia documents such as web pages for years, although it is not encrypted and therefore unsecure. The solution to this insecurity is HTTPS. HTTPS is effectively HTTP with security which utilises Transport Layer Security (TLS) to encrypt the transfer of data through the use of certificates. This security protocol involves three components - a certificate authority, a private key and a public certificate. The certificate authority is a company like GoDaddy or LetsEncrypt which has been approved to verify domains and issue secure signed certificates and keys. The private key is used by the website when it responds to a client request to encrypt the data in its reply. Along with the reply the website sends its public certificate to the client and the browser decrypts the sent message using this certificate. With this protocol the browser can verify that the data received has indeed been sent by the intended sender.

Requesting a Certificate from GoDaddy

I'm not going to go in to too much detail here as the steps on the website are pretty self explanatory. However, one thing to note is that there is no need to provide GoDaddy with a certificate request (CSR) using IIS which is what many tutorials recommend. You can simply allow GoDaddy to generate the certificate request itself. Once you've followed the steps it may take a while for GoDaddy to issue your private key and certificates (mine took approximately 24 hours).

Downloading Private Key and CSR

These are the first things to download from GoDaddy. I haven't had any use for the CSR yet, although its good to keep for your records. As you can probably gather from the name the private key must be kept private.

Downloading Certificates

This is the slightly confusing bit (or at least I thought so). You'll have a number of download options such asApache or IIS although I'd recommend you download the 'other' option. In this package you'll get a crt file, apem file and a certificate authority crt file. Copy the contents of this folder so that these certificates are in the same directory as the private key and CSR you previously downloaded.

Creating a PFX Certificate

In your directory you should now have 2 public certificates - a crt and a pem which for all intents and purposes are equivalent. You'll also have a 'bundle' certificate authority, mine was called g2_bundle-g2-g1.crt; a private key file and a CSR file.

• Now run the following command replacing the certificates and key names with your filenames:

openssl pks12 -out <domain_name>.pfx -in <public_certificate_name>.crt -inkey <private_key_name>.key -cafile <godaddy_ca>.crt

• If the command above fails to load your private key file run the following command to correct the file's encoding. After doing so rerun the previous openssl command but use the modified version of your private key.

tail -c +4 <private_key_name>.key > <private_key_modified_name>.key

Upon executing the openssl command you will be prompted to enter a password to lock your PFX file.

Uploading PFX Certificate to Azure App Service

On your app service resource head to the Custom Domains section and add an SSL binding to the domain which you generated your SSL certificates for. All you have to do is upload the certificate and enter the password that you set for your PFX certificate using openssl.