Application Gateway + Key Vault, How to Set SSL certificate with Azure CLI.

Photo by Markus Spiske on Unsplash

Introduction

Application Gateway v2 SKU supports integration with Key Vault for server certificates. There are advantages such as using Key Vault for SSL certificate setting of Application Gateway and reducing the risk when renewing the certificate.

More details we can find in official documentation

TLS termination with Azure Key Vault certificates

In this quick post, I will explain the procedure for registering an SSL certificate by linking Application Gateway and Key Vault using the Azure CLI.

Requirements

Before we start, we should have installed the components listed below

• Azure CLI
• Application Gateway v2
• SSL certificate

Let’s Start

Initial setting

• Login into Azure and set Subscription

az login
az account set -s "Visual Studio"

• Create a Key Vault

az keyvault create -n MyKeyVault -g ExampleResourceGroup --enable-soft-delete -l westus2

• Create a managed ID

az identity create -n appgw-id -g ExampleResourceGroup -l westus2
identityID=$(az identity show -n appgw-id -g ExampleResourceGroup -o tsv --query "id")
identityPrincipal=$(az identity show -n appgw-id -g ExampleResourceGroup -o tsv --query "principalId")

• Assign the created managed ID to the Application Gateway

az network application-gateway identity assign \
  --gateway-name TestAppGW \
  --resource-group ExampleResourceGroup \
  --identity $identityID

• Add a managed ID to your Key Vault access policy

az keyvault set-policy \
-n MyKeyVault \
-g ExampleResourceGroup \
--object-id $identityPrincipal \
--secret-permissions get

• Import the SSL certificate into Key Vault and store the certificate SID in a variable

az keyvault certificate import  \
--file "ssl-sertification-file"  \
--password "ssl-sertification-password" \
--name TestSSL  \
--vault-name MyKeyVault
versionedId=$(az keyvault certificate show -n TestSSL --vault-name MyKeyVault --query "sid" -o tsv)
unversionedId=$(echo $versionedId | cut -d'/' -f-5)

• Register the certificate stored in the Key Vault with the Application Gateway

az network application-gateway ssl-cert create \
-n TestSSL \
--gateway-name TestAppGW \
--resource-group ExampleResourceGroup \
--key-vault-secret-id $unversionedId

• Verify SSL certificate

#For Key Vault
az keyvault certificate list --vault-name MyKeyVault
#For APPGW
az network application-gateway ssl-cert list -g ExampleResourceGroup --gateway-name TestAppGW

Following the above procedure, the SSL Certificate will be registered with Application Gateway.