6

Created an app service certificate in Azure to enable SSL for Application Gateway. Had already configured SSL on the Application Gateway with a self-signed .pfx certificate to test the functionality but wanted to go with a more robust, auto-renewed and Microsoft managed solution.

However, it seems that an "App Service Certificate" is not the same as a generic certificate and doesn't show up on the listener options config page on the Application Gateway when trying to add the cert from key vault to the app gateway.

Is there any way to re-use this certificate with the Application Gateway?

Improve this question
6
  • It does allow the certificate from azure key vaults , refer this docs learn.microsoft.com/en-us/azure/application-gateway/…
    – Rahul Shukla
    Apr 27, 2021 at 18:37
  • 1
    thanks, I did refer to the same before posting, it still doesn't resolve my issue as in the application gateway interface listener config page for 443 it will list the key vault for the "key vault" text box but will not list the certificate in "certificate name" text box, also the certificate doesn't show up under certificates in key vault, it shows up as a secret of type application/x-pkcs12 which can be downloaded as a .pfx certificate
    – elixir
    Apr 27, 2021 at 18:45
  • 1
    dotnetdevlife.wordpress.com/2019/06/06/… I tried this work around and it works but I will still have to manually download and do this when the certificate expires next year and nullifies the benefit of Microsoft managed certificate.
    – elixir
    Apr 27, 2021 at 18:46
  • Yeah currently application gateway dropdown for your configured certificate on screen (SSL Settings => Create SSL profile )not the list of the certificate from keyvault
    – Rahul Shukla
    Apr 27, 2021 at 19:06
  • Hey did you find anything since? I'm trying to enable SSL on Application Gateway as well and wants to use a cert that's managed completely by Azure. The Key Vault option doesn't really meet my expectation as I would need an account with a CA.
    – Eric Hua
    May 24, 2021 at 17:06

1 Answer 1

Reset to default
0

I came across this today and found out that it is the 'Azure Portal' that is incapable of adding a certificate stored as key vault secret. If you use Terraform/REST API/Az CLI etc, you can add a key vault secret to Application Gateway.

This is already documented by MS.

The Azure portal supports only Key Vault certificates, not secrets. Application Gateway still supports referencing secrets from Key Vault, but only through non-portal resources like PowerShell, the Azure CLI, APIs, and Azure Resource Manager templates (ARM templates).

Again, there is a partially correct warning which is only true for 'Azure Portal'

Azure Application Gateway currently supports only Key Vault accounts in the same subscription as the Application Gateway resource. Choosing a key vault under a different subscription than your Application Gateway will result in a failure.

A simple but manual solution is to download the certificate from key vault secret via Azure Portal and upload it as a key vault certificate. You will need to do this again when the certificate is renewed.

Improve this answer
1
  • I'm not sure this is true, I configured my app gateway to reference the secret in the keyvault via bicep and whilst it deployed successfully the chain of authotity is not complete so the SSL handshake subsequently fails. I followed this post (azure.github.io/AppService/2017/02/24/…) to show me how to manually download and reupload but this is daft with the so called automated certs from MS
    – The Senator
    Jan 5, 2023 at 15:49

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.