Support SSL certificates stored in Key Vault secrets for listeners and backend HTTP settings on Application Gateway
Azure Web Apps support the ability to store an SSL certificate in a Key Vault secret. A certificate resource can be created that references the Key Vault secret. The App service will periodically check for an updated SSL certificate in the Key Vault. The Application Gateway needs to have the same support for storing the SSL certificates in the Key Vault. It should be able to reference a Key Vault secret that contains the SSL certificate in the listener and backend HTTP settings configuration. This capability will allow the management of SSL certificates for Application Gateway and the Web Apps in a single place.

This is available now. Now users can reference SSL certificates from Key Vault in the Application Gateway. Also, it periodically checks for any updated certificate in the Key Vault and updates the certificate automatically (auto renewal). Read more about it here: https://docs.microsoft.com/en-us/azure/application-gateway/key-vault-certs
Note: This is only supported for SSL Certificates in the listener and not for Backend authentication certificates or Trusted root certificates.
26 comments
-
avs-it commented
+1 for Joe H's comment. I'd like to upload my Wildcard SSL Cert from an outside provider that I am using on other servers and provide this to my developers via the Key Vault. They can access the cert from the vault using the Azure API, however, they cannot bind it to the app service to complete the process. Manually using the PFX of the same cert works without issues when binding to the app service directly.
-
Andy commented
When you have plan to announce it ?
-
Jan Fruseth commented
What's the status? A year has gone since it was planned and no update at all. Please, at least give us a status. The only preferred place to store secrets is key vault Microsoft tell us all the time, but since App Gateway not can use cert, pfx to install/renew directly from key vault, we must depend on someones brain, to bad.
-
Craig commented
Until this is implemented by MS, you can export the public and private keys from the .cer and .pfx into Base64 String, then copy the string code into Key Vault as a "Secret" and this can be referenced within your ARM Template Parameters file, I've done this a few times and works perfectly :)
-
James S. commented
Wait, seriously? There's this amazing framework we're encouraged to use for storing secret keys and certificates securely yet we can't use it with Application Gateway?? A must have add for sure. +1 x 1,000,000
-
Shahid Iqbal commented
Yes, an update to this would be great - perhaps this is an appgw v2 feature?
-
sachin commented
This seems like a Must Have feature. ETA Please.
-
Anonymous commented
Can we get an ETA? This seems like a huge gap in the app gateway
-
Anonymous commented
I am surprised this doesn't have more votes. The App Service Certificate terribly loses its value by not giving the front end direct access to use it.
-
Anonymous commented
Any updates on this?
-
Tom Stones commented
+1
-
Yohan S. commented
Any update on this feature please ?
-
Anonymous commented
Application Gateways not able to access the certificate from Azure Key Vault is a security problem because of the need to export a PFX.
It also greatly diminishes the value of the higher price of an Azure App Service Certificate (ASC). It is no more secure than going to any other CA at this point who can charge far less for a certificate of the same value. -
Greg Lloyd commented
Updates? This is a seriously needed feature. Especially for automation to prevent downtime for applications.
-
Corey Zwart commented
Any updates? Would love to be able to administer the certificates in a central place rather than every deployed Application Gateway.
-
John Gilmartin commented
Pleased to see this is on the roadmap but disappointed to see that it has been so since 2016 and yet still not available. With this item and very similar one https://feedback.azure.com/forums/217313-networking/suggestions/17205926-integration-with-key-vault-certificates there is plenty of demand, us included.
-
Max Khon commented
+1
-
Jens Peter Secher commented
+1
-
Richard J commented
Hi Microsoft,
What is the ETA for this?
-
Joe H commented
SSL certificate private key portions are CONSTANTLY exposed on some DevOps workstation, because App Services don't support the generation of a CSR.
KeyVault supports that -- but when I create an SSL certificate via KeyVault, I can't use it directly in an AppService without allowing the entire certificate to be exported - with its private key portion.
Back to square one.
Besides, I'd like my HTTPS certificate to be HSM-backed.
It seems like I'm asking for too much. But at the very least, allow me to use non-exportable HTTPS certificates for Azure-based web sites, where the private key NEVER has to be on a DevOps person's workstation. That's just unnecessary attack surface.