AWS/Azure/OpenShift Web Server Windows

How to Secure a Web Server on a Windows Virtual Machine in Azure using TLS/SSL Certificates Saved in Azure Kay Vault


Web traffic to web servers can be easily encrypted using Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL) certificates. These TLS/SSL certificates are deployable to Windows virtual machines (VMs) on Azure securely and can be saved in the Azure Key Vault. A web server is software and hardware that responds to client requests sent over the World Wide Web using HTTP (Hypertext Transfer Protocol) and other protocols. A web server’s primary responsibility is to display website content by storing, processing, and sending web pages to users.

You can encrypt web servers such as Nginx, Apache, and Internet Information Service (IIS) hosted on Azure Windows Virtual Machines the same way you would encrypt the ones installed on any of the Linux Distros such as Debian, Ubuntu, or CentOS. You should take a look at the following related articles: how to Create a Linux Virtual Machine Via Azure CLI, Install an Nginx Web-Server and Configure TCP Port, how to Configure Virtual Host for Apache HTTP Web Server to Host Several Domains on Ubuntu 20.04 LTS, how to Install Web Server IIS in Windows Server 2019, how to Install “Lets Encrypt” on Apache HTTP Web Server and how to add and remove IIS Web Server on Windows Server 2019 via the Server Manager and PowerShell.

In this guide, I show you how to create an Azure Key Vault, generate or upload a certificate to the Key Vault, create a VM and install the IIS web server, add the certificate into the VM, and configure IIS with a TLS binding.

Create Azure Key Vault

You can get started with creating Azure Key Vault by launching the free interactive cloud shell window directly on the Azure Portal or running the commands using PowerShell on our local PC. Here, I will create everything from the in-built PowerShell on the local PC because I have installed the Azure CLI .

Note: The reason why you need to store the SSL certificate in Azure Key Vault is that Azure Key Vault helps protect cryptographic secrets and keys, including passwords or certificates. Key Vault makes managing certificates easier and lets you keep control of the keys used to access those certificates.

To create an Azure Kay Vault, follow the steps below:

  1. Run the command below in your PC’s cloud shell or the in-built PowerShell.

Note every resource created in Azure is held in a logical folder called the Resource Group. So you must create a Resource Group first before creating Key Vault. Review this article to learn how to create a resource group with Azure CLI.

Proceed to create Azure Key Vault using the PowerShell cmdlets below:

$az keyvault create --name <keyvaultname> --resource-group <resourcegroupname> --location <yourlocation>
Creating Azure Key Vault

Generate a certificate and store it in Key Vault

The next step is to generate a certificate and store it in Key Vault. Let’s do this through the Azure Portal. You can also generate a certificate using the PowerShell command below:

$policy = New-AzKeyVaultCertificatePolicy `
    -SubjectName "" `
    -SecretContentType "application/x-pkcs12" `
    -IssuerName Self `
    -ValidityInMonths 12

Add-AzKeyVaultCertificate `
    -VaultName "Keyvaultname" `
    -Name "techdacert" `
    -CertificatePolicy $policy 
Certificate generated and stored on Azure Keyvault

The key vault I created is already there on the Azure Portal, as shown in the screenshot below:

Key Vault Created

To generate the certificate, do the following:

  1. Double-click to open the Key Vault you created. Locate "Certificate" within the Key Vault blade and click on Generate/Import tab
Generating a Certificate

2. In the certificate method, select "generate." You can also import the certificate. In this case, select “import.” Here, we’re generating it. After specifying the method of certificate creation, go ahead and specify other details as shown in the screenshot below, and click on "Create". Note, generating a self-signed certificate

Specifying Certificate Details

Now the certificate has been generated and enabled.

Certificate Generated and Enabled

You can also

Creating a Virtual Machine

The next step in the article is to create a Windows virtual machine. The first thing we need to do is set an administrator username and password for the VM with the Get-Credential PowerShell cmdlet:

Get-Credential -Credential <Username>
Get Credentials

You will be prompted to provide the user’s password. Go ahead and type the password. The credentials will be set as shown below:

Username and Password Set

Now let’s create the Windows VM with the following PowerShell Cmdlet: (Note, to allow secure web traffic, you must keep port 443 open)

# Create a VM
New-AzVm `
    -ResourceGroupName techdirectarchiveRG `
    -Name techdavm `
    -Location eastus `
    -VirtualNetworkName techdaVnet `
    -SubnetName techdaSubnet `
    -SecurityGroupName techdaNetworkSecurityGroup `
    -PublicIpAddressName techdaPublicIpAddress `
    -Credential $cred `
    -OpenPorts 443

When you execute the code above, it will take a few minutes for the VM to be created.

Creating a Windows VM

Now, the step uses the Azure Custom Script Extension to install the IIS web server with Set-AzVmExtension.

Now let’s install the IIS with the below command:

$Set-AzVMExtension -ResourceGroupName techdirectarchiveRG`
    -ExtensionName "IIS" `
    -VMName <YourVMName> `
    -Location <YourPreferredLocation> `
    -Publisher "Microsoft.Compute" `
    -ExtensionType "CustomScriptExtension" `
    -TypeHandlerVersion 1.8 `
    -SettingString '{"commandToExecute":"powershell Add-WindowsFeature Web-Server 
Installing IIS Web Server

Adding the certificate to the VM from Keyvault

To add the certificate from Key Vault to a VM, obtain the ID of your certificate with Get-AzKeyVaultSecret. Add the certificate to the VM with Add-AzVMSecret as shown below:

$certURL=(Get-AzKeyVaultSecret -VaultName techdirectvault12 -Name techdacert).id

$vm=Get-AzVM -ResourceGroupName techdirectarchiveRG -Name techdavm
$vaultId=(Get-AzKeyVault -ResourceGroupName techdirectarchiveRG -VaultName techdirectvault12).ResourceId
$vm = Add-AzVMSecret -VM $vm -SourceVaultId $vaultId -CertificateStore "techdacertstore" -CertificateUrl $certURL

Update-AzVM -ResourceGroupName techdirectarchiveRG  -VM $vm 


Configure IIS to use the certificate

To configure the IIS use the certificate, run the cmdlet command below:

$publicSettings = '{
    "commandToExecute":"powershell -ExecutionPolicy Unrestricted -File secure-iis.ps1"

Set-AzVMExtension -ResourceGroupName techdirectarchiveRG `
    -ExtensionName "IIS" `
    -VMName techdavm `
    -Location eastus `
    -Publisher "Microsoft.Compute" `
    -ExtensionType "CustomScriptExtension" `
    -TypeHandlerVersion 1.8 `
    -SettingString $publicSettings

Remember to replace the vm name and other details with your details.

Obtain the public IP Address to your VM to Test the web app

Obtain the public IP address of your VM using the Get-AzPublicIPAddress Cmdlets below:

Get-AzPublicIPAddress -ResourceGroupName techdirectarchiveRG -Name techdaPublicIpAddress | select "IpAddress"

Finally, browse to the IP address in your web browser by entering https://<myPublicIP&gt; in the address bar. To accept the security warning if you used a self-signed certificate, select Details and then Go on to the webpage.

Notify of

Inline Feedbacks
View all comments
Matt Houston
Matt Houston
4 months ago

The point of this article was securing IIS website with Azure Key Vault TLS certs but the article actually concludes with the promise to talk about “updating later” the topics of adding the cert and configuring TLS. Thanks for the intent but please finish or remove the post

Would love your thoughts, please comment.x