Using certs in code & trusting private CAs on App Service Linux


In a previous post I wrote about loading to the trusted root store on Windows Web Apps inside ASE, in order to trust privately issued certs. This is required if you connect over SSL to internal endpoints using privately issue certs, or make connections between sites in that ASE and use a private CA cert for the HTTPS binding.

Here I’ll share some comments that should help achieve a similar thing on Linux sites.

The reason for this post is to co-locate and explain a few important points about this setup which are a bit unclear.

Disclaimer: this is written based only on my personal understanding of the public facing documentation and commentary.

Various docs

How to

On Windows sites, this is relatively simple. Certs are loaded directly to the root store of the Windows VM and everything works as expected.

On Linux sites, it works fundamentally a bit different. The certs are made available to the VM as files in the directories mentioned on the documentation:

To load a cert for the private CA, the process should be a typical approach depending on the image used. Nothing particularly special happens here on App Service.

Debian based images (like Ubuntu) can follow a similar approach to what is described here:


  • First, the root CA and intermediates must be exported in an appropriate file type, Azure Portal accepts pfx and crt/cer.
  • Upload the root CA and intermediate directly to the Web App via the Azure Portal or script
  • Use the App Setting WEBSITE_LOAD_CERTIFICATES with value of * or the cert thumbprint values, to load the certificates as files to the directories mentioned in the documentation
  • Use a startup script to update the root store of the container:
  • Alternatively, this can be achieved in site code as described in the github post and documentation.

Good luck!

Leave a Reply

Your email address will not be published. Required fields are marked *