You should never keep any confidential configuration information in an application configuration file. This include injecting sensitive information via web transformation files. Adding sensitive values via the AppService settings is not ideal either.
In all these cases you may leak sensitive information. For example via your source control. Or anyone with access to your subscription could get those secrets.
Certificates have various uses in AppServices. The most obvious one is to enable SSL for your application. Another use it to authenticate towards Azure KeyVault to retrieve confidential values.
In this post we will be uploading a certificate to KeyVault. Then we will deploy it to an AppService with Azure Resource Manager. Finally we will set a custom domain binding to use the certificate for SSL.