Does Azure support UCC/SAN SSL Certificates?

ssl ssl-certificate web azure

I have an Azure Web App that has 15 domain names associated with (i.e. all domain names map to the same application).

I need to provide SSL for all 15 domains, pointing to the same Web App.

My observations so far:

  • Conventional SSL binding requires one IP address per domain, so I would need 15 IP addresses for this one Web App.

  • Azure Web App only supplies a single IP per web app unless I purchase additional IPs at $39/each. I want to avoid buying 15 additional IPs.

  • I could create 15 Web applications under the same App Service Plan, but it looks like they all use the same external IP address as long as they are in the same app service plan, correct?

  • The newer SNI binding scheme can be used with a singular IP address across multiple domains, but is not supported in older browsers, such as IE on WinXP (more or less the only limitation of SNI, that I found)

  • I would like to avoid SNI SSL bindings since we have a decent amount of revenue coming from Windows XP/IE users that can't support SNI.

Given my requirements:

  • Support SSL for 15 domain names on single App Service Plan (single or multiple web app instances)
  • Avoid purchasing additional IPs if possible
  • Avoid SNI if possible

... seems to me like the only reasonable option left is a UCC/SAN SSL certificate, correct?

If so, when I tried to purchase an "App Service Certificate" via Azure, I get the following info box which implies that UCC certs are not an option (at least for purchase):

enter image description here

My question is:

a.) Given my requirements, is my plan for using a SAN cert the appropriate course?

b.) Does Azure even support UCC/SAN certs for a scenario like this? I don't want to buy the cert only to find out I can't use it the way I intend.

Thanks in advance!


Azure supports UCC/SAN SSL certificate. But as per your image, you have tried to purchase this type ssl certificate through Azure 'App Service Certificate' that's why you were unable to find UCC/SAN certificate option from it. So purchase it from trusted SSL provider.

If your all 15 domains are first level sub domains of the main domain then you can also secure them with wildcard ssl certificate. But if they are multi domains like abc.com, app.abc.net, login.xyz.biz, signup.abc.org then SAN SSL is the best option to go for.

As per your requirements:

If you got decent amount of revenue from older browsers Windows XP/IE then don't go for SNI. But SNI doesn't fully ignore IE web browser but some of its versions. Read more on SNI supports which browser and server.

As per your questions:

  1. Go for UCC/SAN SSL certificate to which Microsoft Azure supports.
  2. If not want to use SNI then take different IP address for each domain which is also valid but in the 'SSL Bindings' option, you have to select SSL type as 'IP based SSL'.

Related

CMake : How to get the name of all subdirectories of a directory?
What is causing SSL-"shutdown while in init" error on dovecot?
nginx and https: nginx: [emerg] host not found in upstream
Postfix pipe always runs as nobody
Scope of the Java System Properties
How to make Google Cloud Load Balancer respect the received X-Forwarded-Proto?
SCCM Keeps Downloading Express Updates
Android replace the current fragment with another fragment
How to log AWS SES event details
I want to put WordPress — all of it — on EFS. Should I?
Why does memset take an int instead of a char?
In 2020 - are there any viable Linux block-level replication alternatives for DRBD? [closed]