Blog Post

Apps on Azure Blog
3 MIN READ

Get Web Apps certificates in bulk

Marina_Liu's avatar
Marina_Liu
Icon for Microsoft rankMicrosoft
Jun 09, 2022

For Web App, there are two kinds of SSL/TLS certificates - private certificate and public certificate.

For some users they might have lots of web apps and certificates which need to managed. So I've been asked many times for how to get (both private and public) certificates in bulk. In this blog I will show how to get Web Apps private certificates and public certificates under a subscription correspondingly.

 

Get Web Apps private certificates in bulk

For the private  certificates, we have the existing feature and API to bulk get the private certificates under a subscription. The following shows how to use Azure Resource Graph Explorer and Azure REST API to get them:

Option 1: Use Azure Resource Graph Explorer

In Azure portal -> Go to the "Resource Graph Explorer" service -> search the "microsoft.web/certificates" resource -> in the Kusto query, filter the subscriptionId and pick the fields you need.

An example Kusto query as below:

 

resources
| where type == "microsoft.web/certificates"
| where subscriptionId =="xxxx"
| project name, resourceGroup, properties

 

Note:

  • For the private certificate's detailed information (e.g. thumbprint, issue date and expiration date etc), it's stored in the properties field.
  • For the Resource Graph Explorer, you can also use to query other resource information beyond App Service's private certificate.

Option 2: Use List Certificates REST API

You can also use List Certificates REST API to bulk get the private certificates.

 

Get Web Apps public certificates in bulk

There is no such feature or API to bulk list all the public certificates. The Get Public Certificate REST API can only get the public certificate for one web app each time. So the idea to get web apps public certificates in bulk as below:

  1. Use the List Web Aps REST API to get the web app list
  2. Loop the web app list and get each web app's public certificate(s)

The example of PowerShell to achieve it as below:

 

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
#replace your own bearer token here
$headers.Add("Authorization", "Bearer xxxx")
#replace your  own subscription here
$subscription="xxxx"
$url1="https://management.azure.com/subscriptions/$($subscription)/providers/Microsoft.Web/sites?api-version=2021-02-01"
#get web app list under the subscription
$response = Invoke-RestMethod $url1 -Method 'GET' -Headers $headers
$json= $response | ConvertTo-Json
$x = $json | ConvertFrom-Json
#loop the web apps list
foreach ($line in $x.value) {
     $webapp=$($line.id)
     $a1 = $webapp.Split("/")
     $rg=$a1[4]
     $appname=$a1[8]
     write-host "The public certificate thumbprint(s) under the app $appname as following:"

     $url2=”https://management.azure.com/subscriptions/$($subscription)/resourceGroups/$($rg)/providers/Microsoft.Web/sites/$($appname)/publicCertificates?api-version=2021-02-01“
     #get each web app's public certificate
     $res_cert = Invoke-RestMethod $url2 -Method 'GET' -Headers $headers
     $json2=$res_cert | ConvertTo-Json
     $y=$json2 | ConvertFrom-Json
     foreach ($z in $y.value) {
     $cerpro=$($z.properties)  
     $thrumbp=$($cerpro)
     $cert_split=$thrumbp.Split(";")
     $thumbprint=$cert_split[$cert_split.Count-1].Split("=")[1].Split("}")[0]
     write-host $thumbprint
     }

}

 

Then you can get the web apps public certificates in bulk.

Updated Jun 09, 2022
Version 2.0
azure app service
No CommentsBe the first to comment