How to use app service certificates with Application Gateway

App service cerfificates
Managing certificates is a common task for an IT administrator and everyone has most certainly experienced downtime and service issues due to a certificate expiring and there was no system in place to make us aware of this, if you haven't I question if you really work in IT!
How can we resolve this? Well Azure offers you to purchase App Service Certificates straight from the Azure Portal which is great and gives us some really important benefits such as Azure handling the following items for us:
- The purchase process from GoDaddy
- Performs domain verification of the certificate
- Maintains the certificate in Azure Key vault
- Manages certificatew renewal (This is a big one)
- Synchronizes the certificate automatically with the imported copies in App Service apps
Here is the issue we face though:
We have our web apps parked behind a load balancer such as Azure Application Gateway. You can register listeners on this application gateway which will redirect traffic to the backend web apps we specify and we can pick which SSL certificate we want the listener to use.
The problem is that in the Azure Portal we can only see the Key Vault certificates and Azure App Service certificates gets registered as secrets, this is a problem...
The good news is that we can fix this by using Powershell or the Azure CLI.
Enable key vault secrets with Application Gateway
You can find the powershell script I have taken from Microsoft Docs and modified slightly for readability / usablity:
All you want to do is take the script and fill in the appropriate values in the parameter-block and run the script. I recommend running line by line to have the most control.
Make sure you are logged in to your Azure Account in Powershell as well:
Connect-AzAccount
Set-AzContext -Subscription <subscription name or id>
Then run the script from the Github Repo. From here you should be able to view your Key Vault Secret in the Azure Portal and select it. Note that the script should itself already configure the steps below with the Set-ApplicationGateway
command but I found that it sometimes does not, and it is best to double-check:
- In the Azure Portal type Application gateways
- Select your gateway and in the left pane select Listeners
- Select your HTTPS listener and in the dropdown menu under Certificate you should now see your App Service Certificate
- Select the appropriate certificate and select Save
Surf to your hostname using HTTPS and verify that the browser is presenting the correct certificate.
Reference



About me
