SSL Certificate for Azure Front door verification

We’ve been having issues setting up our Azure Front door, encountering errors to do with the required ssl certificate. Microsoft provide the following instructions:
https://learn.microsoft.com/en-us/azure/frontdoor/domain

To use your certificate with Azure Front Door, it must meet the following requirements:

Complete certificate chain: When you create your TLS/SSL certificate, you must create a complete certificate chain with an allowed certificate authority (CA) that is part of the Microsoft Trusted CA List. If you use a nonallowed CA, your request is rejected. The root CA must be part of the Microsoft Trusted CA List. If a certificate without complete chain is presented, the requests that involve that certificate aren’t guaranteed to work as expected.
Common name: The common name (CN) of the certificate must match the domain configured in Azure Front Door.
Algorithm: Azure Front Door doesn’t support certificates with elliptic curve (EC) cryptography algorithms.
File (content) type: Your certificate must be uploaded to your key vault from a PFX file, which uses the application/x-pkcs12 content type.

Our process is to build a .pfx file using openSSL, from a Cloudflare generated origin certificate and client certificate.

openssl pkcs12 -export -out pfxcert.pfx -in clientcert.pem  -inkey clientcertkey.key -in origincertwithkeyinside.pem

The issue is essentially the same as in this Cloudflare support request SSL Certificate with Azure Front Door, where Azure will insist ‘the certificate needs to be a certificate chain rather than leaf certificates’ but we’re not sure what we are doing wrong/what user Sandro exactly meant with their response.

Any help would be strongly appreciated.

Hi there,

The only certificate that Cloudflare generates and allows you to copy and install on your own infrastructure is our Origin CA Certificates.

When you generate a Origin CA certificate we give you the certificate that contains your domain name (eg. the leaf/server certificate) and the private key.

But in order for a full chain to be completed your leaf/server certificate needs to be ‘chained’ with a root/intermediate certificate - we provide the root certificates here - Origin CA certificates · Cloudflare SSL/TLS docs

This may not make a lot of sense, so would recommend reading this guide - https://www.thesslstore.com/knowledgebase/ssl-support/explaining-the-chain-of-trust/ that may help clarify how SSL/TLS functions.

It sounds like Azure Frontdoor requires you to provide not just the origin CA server/leaf certificate you get from Cloudflare when you generate the certificate on our dashboard, but also the root certificate that completes the chain, which is available on our developer docs.

Also keep in mind that our origin CA certificates are only trusted by Cloudflare - which means they are only meant to be used behind Cloudflare’s proxy to encrypt the connection between Cloudflare and your origin server - they are not publicly trusted, meaning if you try to terminate a SSL/TLS handshake when them in a client browser for example you will get a failure, because they are not trusted by browsers. I’m not sure if this would be a problem for Azure front door and if they require a valid trusted certificate to be installed.

Hope this helps!

1 Like

Hi Damian,

This was genuinely so helpful - thank you.

Interesting we are no longer seeing the same error (yay) but we are getting this
image

Should we not be using an origin cert at all? Wanted to also note I chose RCA, not ECC if that changes things.

Thank you again !

Sounds like Azure Front door does not like that it is a self-signed certificate (which is essentially what Origin CA is, except it is trusted by Cloudflare)

I suspect you may need to look at using another certificate from a CA (eg. LetsEncrypt, Digicert)

You may want to confirm with Azure support though, if there is no way to use a self-signed certificate.

Thanks @Damian ,

Again, so helpful. Will we need to import whichever certificate we get back into Cloudflare before use? We’ll likely find the cheapest for testing.

Regards

@Damian
No need for this, turns out you can create a cert using certbot+let’sencrypt, and use openssl to convert that into the correct pkcs#12 format.

Appreciate the help!

You should actually never use a self-signed certificate, unless you control the trust store, which you don’t with Cloudflare.

But the mentioned Origin certificate should work just fine.

@sandro
Azure rejected the origin cert because ‘you cannot use a self-signed certificate for BYO’ which is the weird part.
@Damian above said
“Sounds like Azure Front door does not like that it is a self-signed certificate (which is essentially what Origin CA is, except it is trusted by Cloudflare)”
So I guess there’s more to it?

Yes, that message is rather inaccurate. Origin certificates are not self-signed certificates.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.