Add additional Authorized CA for custom Certificate in Azure Front Door
Actually it is possible to bring a custom certificate for custom domain name in Azure Front Door. Unfortunately, there is a restricted list of authorized CA (cf. https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https). CA like Lets Encrypt (https://letsencrypt.org/) are not in the list. Is possible to add it ?
valid suggestion subject to upvote
Please consider adding support for all roots trusted for TLS in the Microsoft Trusted Root Program. Doing so will provide consistency between the Azure Front Door service and other Microsoft products.
It is unclear to me how the allowed CA list is composed.
It seems more reasonable to include all CAs in Microsoft Trusted Root Program (https://docs.microsoft.com/en-us/security/trusted-root/participants-list) as a service provided by Microsoft.
Please consider support for other CAs.
Soon Wong commented
LetsEncrypt, as well as a bunch of the other providers should all be allowed please (but LetsEncrypt first!).
I can understand why self-signed certs should be disallowed, but having a manual list like this feels very backwards. It would be good for MSFT to provide an explanation as to the restrictions if there are actual concerns, and let customers caveat emptor.
Mads Damgård commented
Magnus Ternström commented
We use SwissSign as our certificate vendor. These certificates are trusted by most devices and operating systems, incuding Windows 10 and Azure Application Gateway.
When it comes to Azure Front Door they don't seem to be trusted.
For us to be able to buy/use the Azure Front Door service we need for it to support our certificates that we use on our backend servers.
Daiyu Hatakeyama commented
We need these!
- DigiCert Inc DigiCert Global Root G2
- DigiCert Inc DigiCert Global Root G3
Add QuoVadis as a valid CA for Front Door
Pontus Danielsson commented
Add TeliaSonera CA Root v1 as allowed CA for Azure Front Door.
Sucursal Web commented
Although is a valid and necessary CA addition for BYO certs, it’s also a valid first citizen option for auto provided and managed ones.
In cases for lots of certs under the same Front Door, if Lets Encrypt is used to supply these, custom code must be put in place for replacing each cert every 3 months plus other management tasks. This sounds like a feature that, if provided by the platform itself, would ease the adoption for complex scenarios.
Markus Troßbach commented
Also add SwissSign
Andrew R commented
Please add support for Lets Encrypt
Doyle, Keith M. commented
Add Trustwave Level 1 to the list of approved CA's.
Rune Synnevåg commented
Also add: https://www.buypass.com/
Tobias Weisserth commented
If love to see Letsencrypt supported as well. Thanks!