Azure Functions + Private Certificates

While implementing Azure Functions running on App Service Environment I came across an error “SSL Connection could not be established”. This issue occurred when performing a HTTP request from the Azure Function to another internal service which was utilising private certificates. As the certificate has been created internally and the Azure Function is a Microsoft managed PaaS service which is outside of the domain. Although not widely documented, this approach is actually supported.

Architecture

Below is a simplified architecture of the Function App:

Certificate Revocation List (CRL)

After discussing this with Microsoft, the approach is only supported if the CRL distribution point has been implemented as http endpoint. If distribution point is implemented as a LDAP endpoint then this is not supported. However, I cannot find this documented anywhere publicly.

Firstly, we must identity if the CRL HTTP endpoint is reachable from the Azure Function. If you don’t have the CRL endpoint to hand this can be pulled from the certificate properties under CRL Distribution Points:

Ref, Example Google Public Certificate

The CRL must be reachable from the Function App. To confirm this, I used the Kudu console from the App Service Environment and ran the following PowerShell command:

Invoke-RestMethod -Uri “http://crl.pki.goog/GTS1O1core.crl”

If HTTP 400 errors are returned then the CRL is not reachable and this will need to be resolved first.

The Resolution

Once the above has been validated, we now need to obtain a copy of the private root CA certificate (.CER):

Ref, Example Google Public Certificate

Navigate to the Azure Portal and select the Azure Function then select TLS/SSL Settings Blade:

Select Upload Certificate, Local Machine provide a name and select the certificate. Finally, click upload:

Make a note of the certificate thumbprint and navigate to the Configuration blade:

Add a new Application Setting with the following name WEBSITE_LOAD_ROOT_CERTIFICATES and paste the Thumbprint as the value, then click Okay, then Save. Warning this will restart the Azure Function.

The Function should now be able to reach the internal service.