How do I upload a PFX certificate to Azure


I’m trying to upload a PFX certificate to Azure, and afterwards bind the certificate to a web app. For the binding part I can use the New-AzWebAppSSLBinding cmdlet. The documentation says:

The cmdlet creates an SSL binding in two ways:
  • You can bind a Web App to an existing certificate.
  • You can upload a new certificate and then bind the Web App to this new certificate.

Because I want to add the same certificate (which would be a SAN / wildcard cert, so I can use it for a whole bunch of domains) to a couple of webapps / domains, I’d first like to upload the certificate, and then go for option 1 and bind the web app to an existing certifcate.

So now the question is, how do I upload the PFX. I used to be able to use the Add-AzureCertificate which came with the Azure module. But I have upgraded to the Az module which doesn’t seem to have a cmdlet to add / upload / import a certificate for a web app to Azure. I’m also not able to install the Azure module side by side with the Az module, because it has overlapping cmdlet names.

PackageManagement\Install-Package : The following commands are already available on this system:'Login-AzAccount,Logout-AzAccount,Resolve-Error,Send-Feedback'. This module 'AzureRM.profile' may override the existing commands. If you still want to install this module 'AzureRM.profile', use -AllowClobber parameter. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\\PSModule.psm1:1809 char:21 + ... $null = PackageManagement\Install-Package @PSBoundParameters + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Exception + FullyQualifiedErrorId : CommandAlreadyAvailable,Validate-ModuleCommandAlreadyAvailab

Is there a cmdlet in the Az module that I can use to upload the certificate? Of is there another way in which I could install just the Add-AzureCertificate cmdlet from the Azure module? Or should I go for a totally different approch with this?

You have to upload the certificate to the WebApp once created using the cmdlet below. But personally i would reference the certificate within key vault.

New-AzWebAppSSLBinding -WebAppName $webappname -ResourceGroupName $webappname -Name $fqdn ` -CertificateFilePath $pfxPath -CertificatePassword $pfxPassword -SslState SniEnabled



Hi Tommy, thanks for your reply!

I came to the same conclusion as you, regarding the upload and bind once via New-AzWebAppSSLBinding. After that, for the other custom domainnames to the same app I can use the -Thumbprint parameter.

Why do you think it is better to reference the certificate within key vault? Can you recommend any resources on that?