Get Web Apps certificates in bulk
Published Jun 09 2022 04:59 AM 1,350 Views
Microsoft

For Web App, there are two kinds of SSL/TLS certificates - private certificate and public certificate.

For some users they might have lots of web apps and certificates which need to managed. So I've been asked many times for how to get (both private and public) certificates in bulk. In this blog I will show how to get Web Apps private certificates and public certificates under a subscription correspondingly.

 

Get Web Apps private certificates in bulk

For the private  certificates, we have the existing feature and API to bulk get the private certificates under a subscription. The following shows how to use Azure Resource Graph Explorer and Azure REST API to get them:

Option 1: Use Azure Resource Graph Explorer

In Azure portal -> Go to the "Resource Graph Explorer" service -> search the "microsoft.web/certificates" resource -> in the Kusto query, filter the subscriptionId and pick the fields you need.

无标题.png

An example Kusto query as below:

 

resources
| where type == "microsoft.web/certificates"
| where subscriptionId =="xxxx"
| project name, resourceGroup, properties

 

Note:

  • For the private certificate's detailed information (e.g. thumbprint, issue date and expiration date etc), it's stored in the properties field.
  • For the Resource Graph Explorer, you can also use to query other resource information beyond App Service's private certificate.

Option 2: Use List Certificates REST API

You can also use List Certificates REST API to bulk get the private certificates.

 

Get Web Apps public certificates in bulk

There is no such feature or API to bulk list all the public certificates. The Get Public Certificate REST API can only get the public certificate for one web app each time. So the idea to get web apps public certificates in bulk as below:

  1. Use the List Web Aps REST API to get the web app list
  2. Loop the web app list and get each web app's public certificate(s)

The example of PowerShell to achieve it as below:

 

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
#replace your own bearer token here
$headers.Add("Authorization", "Bearer xxxx")
#replace your  own subscription here
$subscription="xxxx"
$url1="https://management.azure.com/subscriptions/$($subscription)/providers/Microsoft.Web/sites?api-version=2021-02-01"
#get web app list under the subscription
$response = Invoke-RestMethod $url1 -Method 'GET' -Headers $headers
$json= $response | ConvertTo-Json
$x = $json | ConvertFrom-Json
#loop the web apps list
foreach ($line in $x.value) {
     $webapp=$($line.id)
     $a1 = $webapp.Split("/")
     $rg=$a1[4]
     $appname=$a1[8]
     write-host "The public certificate thumbprint(s) under the app $appname as following:"

     $url2=”https://management.azure.com/subscriptions/$($subscription)/resourceGroups/$($rg)/providers/Microsoft.Web/sites/$($appname)/publicCertificates?api-version=2021-02-01“
     #get each web app's public certificate
     $res_cert = Invoke-RestMethod $url2 -Method 'GET' -Headers $headers
     $json2=$res_cert | ConvertTo-Json
     $y=$json2 | ConvertFrom-Json
     foreach ($z in $y.value) {
     $cerpro=$($z.properties)  
     $thrumbp=$($cerpro)
     $cert_split=$thrumbp.Split(";")
     $thumbprint=$cert_split[$cert_split.Count-1].Split("=")[1].Split("}")[0]
     write-host $thumbprint
     }

}

 

Then you can get the web apps public certificates in bulk.

无标题.png

Co-Authors
Version history
Last update:
‎Jun 09 2022 05:01 AM
Updated by: