I think like I'm missing something obvious... I want to install a third party SSL cert. To get it issued I need a CSR. in the bad old days I would do this on the server via the certificate snap in / IIS. How do you do this in Azure? Googling seems to be failing me. https://certera.com/kb/generate-csr-on-azure-app-service/ suggests I should be able to do this but the steps don't marry up with what I'm seeing.

We use azure app services. Whenever we need to get a certificate with a CSR, we either generate it on our own machine or on a shared machine in IIS. Once we have the response, we finish the request in IIS and the export the certificate as a PFX with password. That can be uploaded to Azure.

This is what I thought everyone was doing but it seems like something Azure should be able to do to me!! OK - thanks nice to hear that's a path forward.

You can generate CSRs in Azure Key Vault. I should make a blog post on it. 🤔

This is what I don't understand - what the effer has an SSL Cert got to do with the Key vault!!! Shouldn't it be via the webservice.

Its a secure place to store certificates and version them. With some providers I think digicert Azure can directly handle the renewal process and update the cert automatically, (not tried it though). The benefit of it is having your certificates in one place and your web apps can be configured to pull the latest certificate version when available. So all you would do is update the cert in key vault and the web apps would grab it automatically.

OK so we have a key vault by regional and site environment but could use a separate central one for all SSLs for a region. Sounds good - thanks.