How can we improve Azure Networking?

Support SSL certificates stored in Key Vault secrets for listeners and backend HTTP settings on Application Gateway

Azure Web Apps support the ability to store an SSL certificate in a Key Vault secret. A certificate resource can be created that references the Key Vault secret. The App service will periodically check for an updated SSL certificate in the Key Vault. The Application Gateway needs to have the same support for storing the SSL certificates in the Key Vault. It should be able to reference a Key Vault secret that contains the SSL certificate in the listener and backend HTTP settings configuration. This capability will allow the management of SSL certificates for Application Gateway and the Web Apps in a single place.

113 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Mike Webber shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    7 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Joe H commented  ·   ·  Flag as inappropriate

        SSL certificate private key portions are CONSTANTLY exposed on some DevOps workstation, because App Services don't support the generation of a CSR.

        KeyVault supports that -- but when I create an SSL certificate via KeyVault, I can't use it directly in an AppService without allowing the entire certificate to be exported - with its private key portion.

        Back to square one.

        Besides, I'd like my HTTPS certificate to be HSM-backed.

        It seems like I'm asking for too much. But at the very least, allow me to use non-exportable HTTPS certificates for Azure-based web sites, where the private key NEVER has to be on a DevOps person's workstation. That's just unnecessary attack surface.

      • Jev commented  ·   ·  Flag as inappropriate

        Hi Azure Networking team. Key Vault integration would be a welcome addition. Especially when using ARM deployment model. Hence an ETA would be greatly appreciated!

      • Anonymous commented  ·   ·  Flag as inappropriate

        Hello, Azure Networking team. By when we can expect Key Vault support i Application Gateway?

      • KevBow commented  ·   ·  Flag as inappropriate

        We really need this too. Any ideas on timings in that plan ? Q1/Q2/2019?

      Feedback and Knowledge Base