Azure Application Gateway and Key Vault - GW doesn't see renewed SSL Certificate

Question

My understanding is that updating/renewing a certificate that is stored in Azure Keyvault would be automatically refreshed though it might take a couple days. As a learned today, that's not the case. I'm hoping I just missed something.

My Azure Application Gateway's listeners are all using certificates from the same Azure Keyvault. When certificates are renewed I see the current version is my renewed certificate and older versions are disabled as expected.

Seems like I'm missing something to trigger the application gateway to see that there is a new version of the certificate in the key vault.

Answer 1

This is an old post, but I thought I might clarify with the correct answer. When secure listeners are added via the Azure portal and linked to a key vault certificate, the listeners KeyVaultSecretID includes the Version of the certificate. With the version applied to the KeyVaultSecretID, app gateway assumes you always want that certificate.

The solution is to use powershell and truncate the Version from the listeners KeyVaultSecretID. The listener keeps track of the Version separately, so now when the app gateway checks the key vault certificate, it will sync if it finds a newer version.

In my mind, this is a bug in the Azure portal since it shouldn't be saving the Version in the listener.KeyVaultSecretID when it is already saving it in the listener.Version

Answer 2

According to MS, this should happen every 4 hours. See here: TLS termination with Key Vault certificates https://learn.microsoft.com/en-us/azure/application-gateway/key-vault-certs

If that isn't working properly, I'd contact Microsoft support.