Root Domain Names and SSL Certificates 

How to avoid creating SSL certificates every year for all your domains

Brett Andrew January 2022

Root Domain names

A root domain name is the domain name without any sub-domain. For example "" is the root domain and "" is a subdomain.

Often we inherit websites and take over the technical responsibilities of managing the domain name and the website for our clients and OFTEN they have been using the root domain for their website.

Best practice is to use the subdomain www for the website, but to include a root domain redirect to this www address by default. The problem if this has not been done is we now require an additional root domain certificate, as well as a wildcard ssl certificate for the www address. Essentially two certificates, as the wildcard certificate * DOES NOT cover the root domain

This SSL certificate needs to be setup because search engines and users have already book marked the domain, so we can't undo that easily.

Azure Front Door

Now our favourite way to host our websites is behind Azure Front Door and one of the great things about Azure Front Door is that it can manage your SSL Certificates for free, you never have to worry about them again. But, the bad thing is that you cannot point a root domain directly at Azure Front Door. So we get left having to create these single SSL certificates.

Old Suggested Solution

This works, but its expensive, see below for a newer much cheaper option.

This service will manage your root directly, creating SSL Certificates and redirecting.

It is a paid service and you can get up to 5 domain names for US$14.95 per month, and if you have more domains you can get 50 domain names for $99 per month.

So now we can add the clients root domain to this service and know that it redirects to the correct www subdomain, without having to worry about SSL certificates expiring! Hooray!

New Solution

So the new solution I found just recently (2022) was that Azure App Service creates free root certificates now.

Go to an App Service, add a custom domain for your root domain, then you will see under private key certificates you can add an app key (see image)

So I created an App service which it only job is to accept traffic in and redirect to the real www appended site (the www site runs on azure front door), so the root domain is just a redirect only to the www site.

There is a single web.config file on the app service which will redirect all traffic and append www. onto it, as long as it does not already have it. I've shared the contents of that for you.

Hey presto, perfect if you have many root domains to manage and don't want to spend your life creating SSL keys for them!

web.config files contents:

<?xml version="1.0" encoding="utf-8"?>

			 <rule name="CanonicalHostNameRule1">
			      <match url="(.*)" />
			        <add input="{HTTP_HOST}" pattern="www.*" negate="true"  ignoreCase="true"  />
			      <action type="Redirect" url="https://www.{HTTP_HOST}/{R:1}" redirectType="Permanent"  />

powered by mition