We want to switch our ASP.NET MVC application from Azure Cloud Service to Azure App Service (web app). The application is currently using WIF as its identity framework, and as it is running in a farm configuration, we configured a custom
SessionSecurityTokenHandler which encrypts the session cookie using a certificate (thus the cookie can be decrypted by all instances of the web farm).
We could provision this certificate in the Cloud Service scenario using the csdef/cscfg files and the built-in Azure certificate store associated with the Cloud Service, but there is no such thing with Azure App Services (unless I missed something).
Is there any way to configure a certificate in the App Service? Should we fall back to another mechanism to encrypt the session cookie, such as a shared machine key? The machine key is not an ideal solution as it forces us to leave some configuration out of source control to avoid leaking the key.
Using the Azure portal (https://portal.azure.com), open the web app blade for your web app and click on the Settings button in the toolbar.
In the Settings blade, click on Custom domains and SSL. In the Custom domains and SSL blade click on the Upload Certificate button in the toolbar. This will open a blade where you can upload the certificate.
In the web app settings blade, you will need to add an app settings using the key WEBSITE_LOAD_CERTIFICATES. You can set the value to * to load all certificates or if you want to specify a specific certificate you could do that.
From there, you can use the certificate like you would in your cloud service version of the application. Some additional information on this and how to use the certificate in code is available here if you need it.
Finally, to Michael B's point in the comments, using Azure Key Vault would be another approach you could take and would provide some additional security.