How Certify (https://certifytheweb.com)makes your life easier. Certify together with Azure DNS, makes it even easier. Today I would like to introduce you to a really cool tool. In my test environment but also in many productive environments I use Let’s encrypt certificates as SSL certificates. In my opinion it brings several advantages. First of all the certificates are free of charge. But I find the short time period for the exchange of the certificates to be more secure. On the other hand there is normally just a certificate with private key for one service and not a wildcard for all services.
I will write a separate article about Certify again, in which I will go into more detail about the individual features of the software. Today I would like to show you how easy it is to use it together with Microsoft Azure DNS and how you can simplify and automate the exchange of certificates every 90 days or less with Certify.
Setup Microsoft Azure DNS Zone
Als erstes legen wir in Azure falls noch nicht geschehen eine Resource Gruppe an in der gewünschten Lokation an.
Once the resource group is created, I search for “DNS Zones” in the Services. Now I create the Azure DNS zone. First I select the desired Resource Group and enter the desired name for my DNS zone. It is important that this zone is not yet available in Azure, otherwise it will not work.
Setup up DNS to point to Azure DNS Zone
Once the zone is created, I can select it and see the DNS servers where my Azure DNS zone exists.
Now comes an important point!
Now you go to your domain hoster on the website and create a DNS entry there. Here you have to make sure that the “NS” record for the subdomain points to one or better several of the Azure DNS servers listed here.
If all of them work, you can then create a test entry in the Azure DNS zone and resolve it. For example, you can do this via https://mxtoolbox.com/.
Certify the web
You can download Certify the web, also called Certify for short, from the following website. https://certifytheweb.com/
When you have completed the download, start the download and install the application by default. I have the application running on one of my servers, so Certify can later renew the desired Let’s encrypt certificates automatically and exchange them directly if necessary. On the server where Certifiy is installed, I already have a Microsoft IIS. This is NOT required for Certify. But I would like to show you how to update the IIS certificate directly and automatically using Certify.
Let’s go
At the first start you have to select your certificate authority. Certifiy can not only manage Let’s encrypt but also BuyPass Go SSL or DigiCert certificates.
I will use Let´s encrypt, so I have to enter my mailadress and click on “Register Contact”.
Add new credentials in Certifiy
Since I want to use the existing API to manage Azure DNS automatically later, I store my data in “Settings” > “Stored Credentials” and add a new one here.
For Azure DNS I need the following information.
If you don’t have one you can use, you can see here how to do it again. I recommend to do it with Powershell because I find it easiest. https://docs.microsoft.com/powershell/azure/azurerm/create-azure-service-principal-azureps
The Tenant ID and the Application ID. I find these in the “Application Identity” section in Azure Active Directory.
The client secret.
And the Azure DNS Subscription ID. You can find them in your Azure DNS zone in the “Overview” section.
Now save you Credentials to Certify. and go on 😉
Create your first Certificate using Certify
But now I want to show what Certify can do and create my first certificate. For this I enter a name. Since I already have a Microsoft IIS running on the server where Certify is installed, I can directly select the site for which the certificate should be valid. Then of course the hostname for the certificate is missing. I enter the hostname and click on the plus symbol.
Here you can see the hostname wich certify should use to generate the Azure DNS entry and request the certificate from let´s encrypt.
Now switch to “Advanced”. Here you have to select your certifcate authority.
Next setting we have to do is the “Deployment. I will choose “Auto”. But you can also choose to run one of the existing Powershell scripts or you can use one that you have created yourself.
Since I want to use DNS Challenger Azure DNS as Let’s encrypt DNS, I select this in the “Authorization” section. You can see the steps here again in the screenshot.
Choose your Azure DNS Zone.
Now click on “save”.
Save your changes
If everything is ok, we can go on and test our configration.
Test Certify with Azure DNS
The cool thing about Certify is that you can test it before you actually apply for a certificate. So I can now test if I have everything set up correctly for Azure DNS in Certify. So I click on “Test and see that the test is completed successfully. This may take a short moment.
At the same time I can also see in my DNS zone in Azure that the record for testing has been created. This record will be removed immediately after the test.
Request your certificate
After the test is successfully completed, I click on “Request certificate”.
Now you will see how the task is in progress and which step is running at the moment.
At the same time you see how the entry for the TXT record, which is checked by Let’s encrypt, is set.
If everything works as expected, you will now see the information that the certificate was successfully created and the tasks were completed successfully.
In the overview of your certificates you can also see the remaining days until the expiration date. I find this very helpful.
In my Microsoft IIS I can now see that the certificate has been automatically renewed. If the certificate is not yet bound and you create a new one, you have to bind it manually the first time. The bound certificate will then be updated automatically in the future.
Check successful enrollment
To be on the safe side, I go to my website and see that the correct certificate issued via Let’s encrypt is bound.
Setup Auto renewal Interval
By default, Certify renews certificates 30 days before they expire and in my case the certificate would be automatically updated in IIS. In addition, the old certificate would also be removed from the Certificate Store at expiration. Here you can, if you wish, change the settings in the “Settings” > “Renewal Settings” section.
I hope I was able to present you with the article again a useful tool for the admin everyday life. Many thanks also to Certify for supporting my blog. I think Certify is really a huge work relief and above all it prevents you from leaking certificates. If you want to follow me on Twitter @thomaspreischl. About a coffee as a support for my Website I would be happy about 😉 Also read my other blogpost about many cloud services.
Very Nice, but I am looking to do just one wildcard certificate. I got it to pass the initial test, but when I go to “Get the Certificate” if fails.
I added the needed CNAME entry into my Azure DNS zone and the required value which was requested by the “Test”.
Any suggestions?