How can we improve Azure Networking?

Support SSL certificates stored in Key Vault secrets for listeners and backend HTTP settings on Application Gateway

Azure Web Apps support the ability to store an SSL certificate in a Key Vault secret. A certificate resource can be created that references the Key Vault secret. The App service will periodically check for an updated SSL certificate in the Key Vault. The Application Gateway needs to have the same support for storing the SSL certificates in the Key Vault. It should be able to reference a Key Vault secret that contains the SSL certificate in the listener and backend HTTP settings configuration. This capability will allow the management of SSL certificates for Application Gateway and the Web Apps in a single place.

482 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Mike Webber shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

This is available now. Now users can reference SSL certificates from Key Vault in the Application Gateway. Also, it periodically checks for any updated certificate in the Key Vault and updates the certificate automatically (auto renewal). Read more about it here: https://docs.microsoft.com/en-us/azure/application-gateway/key-vault-certs

Note: This is only supported for SSL Certificates in the listener and not for Backend authentication certificates or Trusted root certificates.

26 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • avs-it commented  ·   ·  Flag as inappropriate

    +1 for Joe H's comment. I'd like to upload my Wildcard SSL Cert from an outside provider that I am using on other servers and provide this to my developers via the Key Vault. They can access the cert from the vault using the Azure API, however, they cannot bind it to the app service to complete the process. Manually using the PFX of the same cert works without issues when binding to the app service directly.

  • Jan Fruseth commented  ·   ·  Flag as inappropriate

    What's the status? A year has gone since it was planned and no update at all. Please, at least give us a status. The only preferred place to store secrets is key vault Microsoft tell us all the time, but since App Gateway not can use cert, pfx to install/renew directly from key vault, we must depend on someones brain, to bad.

  • Craig commented  ·   ·  Flag as inappropriate

    Until this is implemented by MS, you can export the public and private keys from the .cer and .pfx into Base64 String, then copy the string code into Key Vault as a "Secret" and this can be referenced within your ARM Template Parameters file, I've done this a few times and works perfectly :)

  • James S. commented  ·   ·  Flag as inappropriate

    Wait, seriously? There's this amazing framework we're encouraged to use for storing secret keys and certificates securely yet we can't use it with Application Gateway?? A must have add for sure. +1 x 1,000,000

  • Anonymous commented  ·   ·  Flag as inappropriate

    I am surprised this doesn't have more votes. The App Service Certificate terribly loses its value by not giving the front end direct access to use it.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Application Gateways not able to access the certificate from Azure Key Vault is a security problem because of the need to export a PFX.
    It also greatly diminishes the value of the higher price of an Azure App Service Certificate (ASC). It is no more secure than going to any other CA at this point who can charge far less for a certificate of the same value.

  • Greg Lloyd commented  ·   ·  Flag as inappropriate

    Updates? This is a seriously needed feature. Especially for automation to prevent downtime for applications.

  • Corey Zwart commented  ·   ·  Flag as inappropriate

    Any updates? Would love to be able to administer the certificates in a central place rather than every deployed Application Gateway.

  • Joe H commented  ·   ·  Flag as inappropriate

    SSL certificate private key portions are CONSTANTLY exposed on some DevOps workstation, because App Services don't support the generation of a CSR.

    KeyVault supports that -- but when I create an SSL certificate via KeyVault, I can't use it directly in an AppService without allowing the entire certificate to be exported - with its private key portion.

    Back to square one.

    Besides, I'd like my HTTPS certificate to be HSM-backed.

    It seems like I'm asking for too much. But at the very least, allow me to use non-exportable HTTPS certificates for Azure-based web sites, where the private key NEVER has to be on a DevOps person's workstation. That's just unnecessary attack surface.

← Previous 1

Feedback and Knowledge Base