Introduction
Application Gateway v2 SKU supports integration with Key Vault for server certificates. There are advantages such as using Key Vault for SSL certificate setting of Application Gateway and reducing the risk when renewing the certificate.
More details we can find in official documentation
In this quick post, I will explain the procedure for registering an SSL certificate by linking Application Gateway and Key Vault using the Azure CLI.
Requirements
Before we start, we should have installed the components listed below
- Azure CLI
- Application Gateway v2
- SSL certificate
Let’s Start
Initial setting
- Login into Azure and set Subscription
az login
az account set -s "Visual Studio"
- Create a Key Vault
az keyvault create -n MyKeyVault -g ExampleResourceGroup --enable-soft-delete -l westus2
- Create a managed ID
az identity create -n appgw-id -g ExampleResourceGroup -l westus2
identityID=$(az identity show -n appgw-id -g ExampleResourceGroup -o tsv --query "id")
identityPrincipal=$(az identity show -n appgw-id -g ExampleResourceGroup -o tsv --query "principalId")
- Assign the created managed ID to the Application Gateway
az network application-gateway identity assign \
--gateway-name TestAppGW \
--resource-group ExampleResourceGroup \
--identity $identityID
- Add a managed ID to your Key Vault access policy
az keyvault set-policy \
-n MyKeyVault \
-g ExampleResourceGroup \
--object-id $identityPrincipal \
--secret-permissions get
- Import the SSL certificate into Key Vault and store the certificate
SID
in a variable
az keyvault certificate import \
--file "ssl-sertification-file" \
--password "ssl-sertification-password" \
--name TestSSL \
--vault-name MyKeyVaultversionedId=$(az keyvault certificate show -n TestSSL --vault-name MyKeyVault --query "sid" -o tsv)unversionedId=$(echo $versionedId | cut -d'/' -f-5)
- Register the certificate stored in the Key Vault with the Application Gateway
az network application-gateway ssl-cert create \
-n TestSSL \
--gateway-name TestAppGW \
--resource-group ExampleResourceGroup \
--key-vault-secret-id $unversionedId
- Verify SSL certificate
#For Key Vault
az keyvault certificate list --vault-name MyKeyVault#For APPGW
az network application-gateway ssl-cert list -g ExampleResourceGroup --gateway-name TestAppGW
Following the above procedure, the SSL Certificate will be registered with Application Gateway.