Use App Service Certificate with Azure Application Gateway

Question

Created an app service certificate in Azure to enable SSL for Application Gateway. Had already configured SSL on the Application Gateway with a self-signed .pfx certificate to test the functionality but wanted to go with a more robust, auto-renewed and Microsoft managed solution.

However, it seems that an "App Service Certificate" is not the same as a generic certificate and doesn't show up on the listener options config page on the Application Gateway when trying to add the cert from key vault to the app gateway.

Is there any way to re-use this certificate with the Application Gateway?

Answer 1

I came across this today and found out that it is the 'Azure Portal' that is incapable of adding a certificate stored as key vault secret. If you use Terraform/REST API/Az CLI etc, you can add a key vault secret to Application Gateway.

This is already documented by MS.

The Azure portal supports only Key Vault certificates, not secrets. Application Gateway still supports referencing secrets from Key Vault, but only through non-portal resources like PowerShell, the Azure CLI, APIs, and Azure Resource Manager templates (ARM templates).

Again, there is a partially correct warning which is only true for 'Azure Portal'

Azure Application Gateway currently supports only Key Vault accounts in the same subscription as the Application Gateway resource. Choosing a key vault under a different subscription than your Application Gateway will result in a failure.

A simple but manual solution is to download the certificate from key vault secret via Azure Portal and upload it as a key vault certificate. You will need to do this again when the certificate is renewed.