For more details on creating an App Service Certificate see How to Create an App Service Certificate.
In order to deploy this template, you need to have the following resources:
- A Key Vault (specified in 'existingKeyVaultId' parameter)
- An App Service App(specified in 'existingAppName' parameter)
- An App Service Domain (specified in 'rootHostName' parameter)
By default, 'Microsoft.CertificateRegistration' and 'Microsoft.Web' RPs don't have access to the Key Vault specified in the template hence you need to authorize these RPs by executing the following PowerShell commands before deploying the template:
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName f3c21649-0979-4721-ac85-b0216b2cf413 -PermissionsToSecrets get,set,delete
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets getServicePrincipalName parameter represents these RPs in user tenant and will remain same for all Azure subscriptions. This is a onetime operation. Once you have a configured a Key Vault property, you can use it to store as many App Service Certificates as you want without executing these PowerShell commands again. You can go through the Key Vault documentation for more information:
https://azure.microsoft.com/en-us/documentation/articles/key-vault-get-started/
The Web App and domain resources need to be in the same resource group. The Web App should have 'rootHostName' and www subdomain assigned as custom domains.
https://azure.microsoft.com/en-us/documentation/articles/custom-dns-web-site-buydomains-web-app/
https://azure.microsoft.com/en-us/documentation/articles/web-sites-custom-domain-name/