This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 77%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello,
I am encountering an issue while attempting to add an HTTPS certificate stored in Key Vault to Azure FrontDoor Classic. The specific error message I receive is as follows:
"Error: We were unable to read the private key for the certificate provided. The server (leaf) certificate private key may be corrupted."
Interestingly, when I utilize Azure FrontDoor Standard, I can successfully add the same certificate without any problems. This issue seems to be isolated to Azure FrontDoor Classic.
I would greatly appreciate any assistance or insights into resolving this issue. Thank you very much.
Hello @楊 済光 ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you are unable to add an HTTPS certificate stored in Key Vault to Azure Front Door Classic as it fails with an error "We were unable to read the private key for the certificate provided. The server (leaf) certificate private key may be corrupted".
However, you are able to successfully add the same certificate to Azure Front Door Standard.
Since the same certificate is working with Azure Front Door Standard, I'm assuming the certificate has no issues and it is from a PFX file, which uses the application/x-pkcs12 content type. And the certificate is uploaded as a certificate object, rather than a secret, which was created as a complete certificate chain with an allowed certificate authority (CA).
Refer: https://learn.microsoft.com/en-us/azure/frontdoor/domain#certificate-requirements
So, let us first check a few details to make sure that the configuration is correct.
So, make sure that the Application Id of Azure Front Door Classic is registered as below:
Azure PowerShell:
New-AzADServicePrincipal -ApplicationId "ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037"
Azure CLI:
az ad sp create --id ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037
Also, make sure that your Azure Front Door Classic has access to your key vault following the below doc:
I've also seen this error when there are improper store flags while importing the certificate to either remove password or during upload to key vault. So, if the above configuration is done properly, we will proceed further to validate the certificate.
Regards,
Gita
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Dear @GitaraniSharma-MSFT ,
I would like to express my sincere gratitude for your prompt response to my inquiry regarding the error I encountered while attempting to retrieve an SSL certificate. Your assistance is greatly appreciated.
I wanted to provide some additional information regarding the issue. As per your suggestion, we followed the method described in your documentation to set the permissions for the key vault. Specifically, we granted the "get-secret" permission to the service principal with the object ID ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037. However, despite implementing these steps, we are still encountering the same error.
Furthermore, I would like to mention that this error has only recently emerged. Until at least two weeks ago, we were able to successfully retrieve the certificates stored in the key vault without any issues.
Lastly, I would like to confirm that the certificates stored in the key vault are indeed in PFX format, as you mentioned. Additionally, they meet all the legitimate requirements outlined in the documentation.
Once again, thank you for your assistance and prompt attention to this matter. I look forward to any further guidance or suggestions you may have to help us resolve this issue.
Best regards,
楊済光
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 87%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
I currently have a support ticket open for exactly this issue.
"Failed to update the custom https configuration for the frontend host '......'. Error: We were unable to read the private key for the certificate provided. The server (leaf) certificate private key may be corrupted."
Existing certs generated with the same script are OK
Cert works on standard, and app gateway, but not classic
Issue is able to be replicated in a different subscription
I suspect a change in the last 4-6weeks (perhaps related to the AFD stricter certificate validation change??)
I'll post an update when I have new information.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 62%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERO%3C/text%3E%3C/svg%3E)
I'm having the exact same issue with FrontDoor Classic.
I'm having it with wildcard domains that I need to bind using our own certificates.
I've also tried unbinding and re-binding the exact same certificate that were bound and worked correctly and this fails with the aforementioned error.
Hello @楊 済光 ,
Thank you for sharing the additional details.
This seems to be an ongoing issue/bug with multiple customers.
I'm following up with the Azure Front Door Product Group team regarding this issue. I will get back to you as soon as I get an update on this.
Regards,
Gita
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 57.00000000000001%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
I'm seeing this too. First noticed it last Friday (23rd) June. Up to that point there was no issue with Front Door Classic enabling https on the provided domain, using a cert in KeyVault.
I have gone through the following checklist and there is nothing unusual or wrong:
It would seem the issue was caused by a recent change to Frontdoor classic. I believe the issue is now fixed and (for me at least) certs can now be provisioned from keyvault
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 35%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
Yes, its true.
My problem was solved too.
I can set my certificate on my subdomains on frontdoor (Classic) now.
Thanks for update Carlos.
This is now working for me too.
Hello @楊 済光 ,
I understand that you were unable to add an HTTPS certificate stored in Key Vault to Azure Front Door Classic as it was failing with an error "We were unable to read the private key for the certificate provided. The server (leaf) certificate private key may be corrupted".
I checked internally and found that this is an ongoing issue affecting multiple customers.
I reached to the Azure Front Door Product Group team for more information and below is the update:
The Azure Front Door team mentioned that there was a recent deployment which caused this issue, so they have rolled back that deployment now. And you should be able to add HTTPS certificate from Key Vault to Azure Front Door Classic without any issues.
Request you to try to add the certificate again and let us know if you face any issues.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I am having a similar issue with Microsoft Frontdoor Standard where I am not able to import the certificate from the Azure key vault
az keyvault secret show --name <name> --vault-name <vault name> --query contentType
"application/x-pkcs12"
Code="BadRequest" Message="The secret contains an unsupported content type. The content type needs to be application/x-pkcs12."
Any help with this is much appreciated.
Hello @Anonymous ,
Please make sure that your certificate meets the below requirements:
application/x-pkcs12 content type.Regards,
Gita