Azure Blob Storage
How to automatically deploy SSL certificates to an Azure Blob Storage container.
Overview
AutoSSL can automatically upload SSL certificate files to an Azure Blob Storage container. Each certificate is archived under a versioned archive path and also updated under a latest/ path for easy discovery by downstream consumers (e.g., Nginx, Caddy, or custom scripts that pull certificates from Blob Storage).
For instructions on how to manage and run this deployment, please refer to the Deployment Management section.
Configuration Parameters
When you add or edit this deployment target in the AutoSSL console, you will need to configure the following parameters:
| Parameter | Description | Example |
|---|---|---|
| Storage Account Name | The name of the Azure Storage account that hosts the blob container. | mystorageaccount |
| Container Name | The name of the blob container to upload certificate files to. | ssl-certs |
| Blob Name Prefix | (Optional) A prefix for organizing certificate files in the container. If set, files will be uploaded under this prefix. Trailing slash is optional. | certs/example.com/ |
How it Works
When AutoSSL deploys a certificate to a blob container (e.g., storage account mystorageaccount, container ssl-certs, prefix certs/example.com/), it performs the following steps:
-
Certificate Preparation:
- Splits the full certificate chain into individual PEM files:
cert.pem(leaf certificate),privkey.pem(private key, PKCS#8 encoded),chain.pem(intermediate chain), andfullchain.pem(full chain). - Generates a
README.mdfile with certificate metadata and a link to https://autossl.dev for traceability. - Parses the certificate
notBeforedate and SHA1 fingerprint to generate an archive directory name (format:YYYY-MM-DD_<first 8 chars of SHA1>).
- Splits the full certificate chain into individual PEM files:
-
File Upload:
- Uploads certificate files (four PEM files and README.md) to two paths in the container:
- Archive path —
certs/example.com/2026-05-30_e5f6a7b8/cert.pem(andprivkey.pem,chain.pem,fullchain.pem,README.md). This path is unique per certificate issuance and is never overwritten. - Latest path —
certs/example.com/latest/cert.pem(andprivkey.pem,chain.pem,fullchain.pem,README.md). This path always reflects the most recently uploaded certificate.
- Archive path —
- Uploads certificate files (four PEM files and README.md) to two paths in the container:
The latest/ path allows downstream services to always fetch the current
certificate from a fixed blob name. Historical certificates remain accessible
under their versioned archive directories.
Example Container Structure
After multiple certificate renewals, your container structure will look like this:
certs/example.com/
├── 2026-03-01_a1b2c3d4/
│ ├── cert.pem
│ ├── privkey.pem
│ ├── chain.pem
│ ├── fullchain.pem
│ └── README.md
├── 2026-05-30_e5f6a7b8/
│ ├── cert.pem
│ ├── privkey.pem
│ ├── chain.pem
│ ├── fullchain.pem
│ └── README.md
└── latest/
├── cert.pem
├── privkey.pem
├── chain.pem
├── fullchain.pem
└── README.mdPrivate Key Format
privkey.pem is encoded in PKCS#8 format (-----BEGIN PRIVATE KEY-----). This format is widely supported by modern web servers and tools (Nginx, Caddy, Traefik, OpenSSL 1.1+, etc.).
If your environment requires PKCS#1 format (e.g. -----BEGIN RSA PRIVATE KEY----- for RSA keys), convert it locally before use:
openssl rsa -in privkey.pem -out privkey-pkcs1.pemAccess Key Requirement
To interact with Azure Blob Storage, this provider requires an Azure service principal.
Required Permissions
The service principal must have permission to create and overwrite blobs in the target container. Assign the following data plane RBAC role at the storage account or container scope:
- Storage Blob Data Contributor (recommended)
Control plane roles such as Storage Account Contributor do not grant
blob upload permissions. If deployment fails with This request is not authorized to perform this operation, verify both the RBAC role assignment
and the storage account firewall settings below.
Assign the RBAC Role
Granting the role at the container scope follows the principle of least privilege:
- In the Azure Portal, open your Storage Account → Containers → select the target container.
- Go to Access control (IAM) → Add role assignment.
- On the Role tab, select Storage Blob Data Contributor.
- On the Members tab:
- Set Assign access to to User, group, or service principal.
- Click Select members.
- Search by your app registration display name (e.g.,
AutoSSL) or Client ID. - Select the result whose type is Application or Service principal — not a user account.
- Review and assign.
If the app does not appear in search results, open Microsoft Entra ID → Enterprise applications, set Application type to All applications, and confirm the service principal exists. Newly created principals may take a few minutes to appear in IAM search.
For more information, refer to the Azure Blob Storage access control documentation.
Configure Storage Account Firewall
AutoSSL connects to Blob Storage over the public internet. If the storage account restricts network access, requests are blocked even when RBAC is configured correctly.
- Open your Storage Account → Networking → Firewalls and virtual networks.
- Choose one of the following:
- Enabled from all networks — simplest for initial setup and testing.
- Enabled from selected networks — add AutoSSL's outbound IP address(es) under Address range.
- Save the changes and retry the deployment.
If your storage account is accessible only via a virtual network or private endpoint, AutoSSL cannot reach it from the public internet unless you route traffic through a compatible network path.