Currently if you utilise the static website hosting feature in Azure Storage you cant add an SSL cert when configuring a custom domain. The workaround is to use Azure CDN (content delivery network) and add the custom domain and certificate from there. This blog will help explain the process.
Key Vault:
First step is to create a Key Vault (if you don’t have one already) from which to store your certificate:
From the Azure Portal choose create a resource search for “Key Vault”.
On the Key Vault section, choose Create.
On the Create key vault section provide the following information:
After providing the information above, select Create.
Certificate Upload:
Assuming you already have an existing certificate, from the key vault Select Certificates > “Generate/Import”
Under “Method of certificate creation” change the method from Generate to Import.
Give the certificate a name then choose the file to upload and specify the password.
CDN Endpoint:
From the storage account choose Azure CDN and create a new endpoint, choose your preferred pricing tier and specify the endpoint name.
For origin hostname its important to specify the primary endpoint of the storage account found under the Static Website section of the storage account.
(You may notice back in the Azure CDN section of the storage account the endpoints section is blank, this is because the origin of the endpoint has changed to “Custom Origin”, you should find the endpoint in the resource group of the storage account as a separate entity)
Within the Endpoint you can now configure your custom domain, however first you will need to allow your CDN service permission to access the certificate in the key vault. The Application ID will be visible in the message with the instructions:
1) Register Azure CDN as an app in your Azure Active Directory (AAD) via PowerShell using this command: New-AzureRmADServicePrincipal -ApplicationId “*******************************”.
2) Grant Azure CDN service the permission to access the secrets in your Key vault. Go to “Access policies” from your Key vault to add a new policy, then grant “Microsoft.Azure.Cdn” service principal a “get-secret” permission.
You will also need to configure your public DNS record, the CNAME record will need to point to the “endpoint hostname” of the CDN endpoint found in the overview screen of the endpoint.
You will now be able to configure your custom domain and select the certificate found in the key vault, after configuring wait a few minutes then try browsing your new custom domain.