I buy cheap certificates. Yes I know there are free ones. I am just not clear on how to integrate those into Azure App Services. I know how to upload a PFX and I know how to make a certificate request from a machine with IIS on it. At SSLs.com this time I pressed the auto generate button instead of the submit CSR button knowing it could be a bad idea. It gave me a private key. Not exactly sure if it was generated in my browser or on a server somewhere but it just downloaded. After doing the things you need to do to get them to issue the public certificate using the file they gave to put in /.well-known/pki-validation/ I got my public cert. Now what? Normally I would go to the IIS machine where the request was made and complete the request but that obviously isn't the path of success this time. I looked on the internet and saw openssl as the most likely solution but I was curious about others. I tried the a DigiCertUtil.exe tool and it was just a more convenient look into the Windows certificate store but without the private key in the Windows certificate store (not a shopping store) you are stuck. Microsoft has a thing called PVK2PFX which seemed promising but it gave a bad file format error. Not sure if it was because it was a bad format or an SSL cert but it did seem like this was mostly for code signing based on various interwebs. So its OpenSSL then. At one time I would have just found the binaries somewhere, probably old and just went for it. But now there is WSL, Windows Subsystem for Linux. As a loser who actually paid for the Windows Services for UNIX back in NT 4 days I had to stuff those emotions and hold back the retching. I got the WSL from the Microsoft Store and took the Debian. It downloaded and I installed it. It asked me to create a user/pass. I soon figured out openssl was not installed yet. I did a sudo apt-get update, followed by sudo apt-get install openssl. Now I did the thing which is documented all over the internet:
openssl pkcs12 -export -out my_backup.pfx -inkey my_private_key.txt -in my_public_key.crt
These files were all in my ~ home so cd ~ if you need to get to your home before running openssl. To put the files there from Windows I used Windows file explorer: \\wsl$\Debian\home\me. It wanted a password for the generated pfx, it accepted a blank and that won't work for the Azure certificate import. I had to import this pfx into the Windows certificate store. For all of you that this is not second nature, get an administrative command prompt or powershell and type mmc and press enter. Add the Certificate snap in and import then export the pfx with a password. I suppose I could have just generated the pfx again but I wanted to verify IIS liked it. Got to remember to delete all these key files I now have littered about and empty the recycle bin.