virtualMachineScaleSets osProfile certificateUrl should suport URL with default KeyVault secret version.
Certificate common name often is used with certificate autorotation when we get certificate by subject (Common Name) when Thumbprint may be different. When KeyVault generates new certificate it will provide a new KeyVault secret version and certificate Thumbprint. We use following setting (described in documentation) to set KeyVault certificate URL:
virtualMachineScaleSets/properties/virtualMachineProfile/osProfile/secrets/vaultCertificates/certificateUrl. However if we set certificate URL without KeyVault version then during Resource Manager template deployment we get the following error: "https://ourproductserver.vault.azure.net/secrets/sslcert/ is not a valid versioned Key Vault Secret URL. It should be in the format https://<vaultEndpoint>/secrets/<secretName>/<secretVersion>."
From key vault documentation we know that Key Vault Secret URL without version is used to get current secret version.
However osProfile doesn't accept passing Key Vault Secret URL without version. It makes using Certificate Common Name usage irritating my colleagues. We assume that you may influence to this restriction because it will make Service Fabric cluster deployment better.