How to use app service certificates with Application Gateway

How to use app service certificates with Application Gateway

App service cerfificates

Managing certificates is a common task for an IT administrator and everyone has most certainly experienced downtime and service issues due to a certificate expiring and there was no system in place to make us aware of this, if you haven't I question if you really work in IT!

How can we resolve this? Well Azure offers you to purchase App Service Certificates straight from the Azure Portal which is great and gives us some really important benefits such as Azure handling the following items for us:

  • The purchase process from GoDaddy
  • Performs domain verification of the certificate
  • Maintains the certificate in Azure Key vault
  • Manages certificatew renewal (This is a big one)
  • Synchronizes the certificate automatically with the imported copies in App Service apps

Here is the issue we face though:

We have our web apps parked behind a load balancer such as Azure Application Gateway. You can register listeners on this application gateway which will redirect traffic to the backend web apps we specify and we can pick which SSL certificate we want the listener to use.

The problem is that in the Azure Portal we can only see the Key Vault certificates and Azure App Service certificates gets registered as secrets, this is a problem...

The good news is that we can fix this by using Powershell or the Azure CLI.

Enable key vault secrets with Application Gateway

You can find the powershell script I have taken from Microsoft Docs and modified slightly for readability  / usablity:

GitHub - carlzxc71/application_gateway_enable_secrets
Contribute to carlzxc71/application_gateway_enable_secrets development by creating an account on GitHub.

All you want to do is take the script and fill in the appropriate values in the parameter-block and run the script. I recommend running line by line to have the most control.

Make sure you are logged in to your Azure Account in Powershell as well:

Connect-AzAccount
Set-AzContext -Subscription <subscription name or id>

Then run the script from the Github Repo. From here you should be able to view your Key Vault Secret in the Azure Portal and select it. Note that the script should itself already configure the steps below with the Set-ApplicationGateway command but I found that it sometimes does not, and it is best to double-check:

  1. In the Azure Portal type Application gateways
  2. Select your gateway and in the left pane select Listeners
  3. Select your HTTPS listener and in the dropdown menu under Certificate you should now see your App Service Certificate
  4. Select the appropriate certificate and select Save

Surf to your hostname using HTTPS and verify that the browser is presenting the correct certificate.

Reference

Azure App Service Certificate
notes on how to use App Svc Certificates
TLS termination with Azure Key Vault certificates
Learn how you can integrate Azure Application Gateway with Key Vault for server certificates that are attached to HTTPS-enabled listeners.
Add and manage TLS/SSL certificates - Azure App Service
Create a free certificate, import an App Service certificate, import a Key Vault certificate, or buy an App Service certificate in Azure App Service.

About me

About me
If you have landed on my page you will have already understood my passion for tech, but obviously there is more to life than that. Here I will try and outline a few of my other hobbies. Strength training I am a person who loves to move around and challenge