Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

How can we improve Azure Networking?

← Networking

Support SSL certificates stored in Key Vault secrets for listeners and backend HTTP settings on Application Gateway

Azure Web Apps support the ability to store an SSL certificate in a Key Vault secret. A certificate resource can be created that references the Key Vault secret. The App service will periodically check for an updated SSL certificate in the Key Vault. The Application Gateway needs to have the same support for storing the SSL certificates in the Key Vault. It should be able to reference a Key Vault secret that contains the SSL certificate in the listener and backend HTTP settings configuration. This capability will allow the management of SSL certificates for Application Gateway and the Web Apps in a single place.

482 votes
Vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Webber,Michael T. shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
completed  ·  AdminAzure Networking Team (Product Manager, Microsoft Azure) responded  · 

This is available now. Now users can reference SSL certificates from Key Vault in the Application Gateway. Also, it periodically checks for any updated certificate in the Key Vault and updates the certificate automatically (auto renewal). Read more about it here: https://docs.microsoft.com/en-us/azure/application-gateway/key-vault-certs

Note: This is only supported for SSL Certificates in the listener and not for Backend authentication certificates or Trusted root certificates.

Show previous admin responses (2)

31 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Bojan commented  ·   ·  Flag as inappropriate

    I don't see this is currently supported on Application Gateway, can anyone confirm from Azure Networking Team?

  • Sam K commented  ·   ·  Flag as inappropriate

    This request is NOT completed - manually uploading a CER file for HTTP backend is not sustainable for IaC scenario...

  • Omar Sourour commented  ·   ·  Flag as inappropriate

    Hello,

    Is there anyway to have the SSL certificate for backend authentication read from KeyVault? Currently, when I try doing deploying an application gateway using EV2, it gives me an invalid certificate data error. I have to manually download the certificate from Keyvault, export its root certificate, and then reupload it to the gateway.

  • Anonymous commented  ·   ·  Flag as inappropriate

    im currently being told by support that the very thing we asked for - which is marked as completed - is not a feature of app gateway.

    oh - and it wont let me log in with my corp account right now... haha MS.

  • Andy commented  ·   ·  Flag as inappropriate

    Whilst it's great that KV certs are supported for the listener, the work that was delivered doesn't actually meet the request... the equest specificall said about supporting certificaes in KV for the back-end... So it's not actually completed, it's partially done.

    Are there any plans to get it working for the BEP too?

    Cheers

  • avs-it commented  ·   ·  Flag as inappropriate

    +1 for Joe H's comment. I'd like to upload my Wildcard SSL Cert from an outside provider that I am using on other servers and provide this to my developers via the Key Vault. They can access the cert from the vault using the Azure API, however, they cannot bind it to the app service to complete the process. Manually using the PFX of the same cert works without issues when binding to the app service directly.

  • Jan Fruseth commented  ·   ·  Flag as inappropriate

    What's the status? A year has gone since it was planned and no update at all. Please, at least give us a status. The only preferred place to store secrets is key vault Microsoft tell us all the time, but since App Gateway not can use cert, pfx to install/renew directly from key vault, we must depend on someones brain, to bad.

  • Craig commented  ·   ·  Flag as inappropriate

    Until this is implemented by MS, you can export the public and private keys from the .cer and .pfx into Base64 String, then copy the string code into Key Vault as a "Secret" and this can be referenced within your ARM Template Parameters file, I've done this a few times and works perfectly :)

  • James S. commented  ·   ·  Flag as inappropriate

    Wait, seriously? There's this amazing framework we're encouraged to use for storing secret keys and certificates securely yet we can't use it with Application Gateway?? A must have add for sure. +1 x 1,000,000

  • Anonymous commented  ·   ·  Flag as inappropriate

    I am surprised this doesn't have more votes. The App Service Certificate terribly loses its value by not giving the front end direct access to use it.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Application Gateways not able to access the certificate from Azure Key Vault is a security problem because of the need to export a PFX.
    It also greatly diminishes the value of the higher price of an Azure App Service Certificate (ASC). It is no more secure than going to any other CA at this point who can charge far less for a certificate of the same value.

  • Greg Lloyd commented  ·   ·  Flag as inappropriate

    Updates? This is a seriously needed feature. Especially for automation to prevent downtime for applications.

  • Corey Zwart commented  ·   ·  Flag as inappropriate

    Any updates? Would love to be able to administer the certificates in a central place rather than every deployed Application Gateway.

← Previous 1

Networking: Application Gateway

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice