Using Key Vault for a backend root cert in Application Gateway

Question

I am setting up an Application Gateway that uses TLS on the backend to talk to members of a VM Scale Set. I have this all in a bicep template and it works - I pass the root certificate into the template as a parameter. However, I would rather keep the certificate in a Key Vault instead of passing it in like this. I notice that in the App Gateway declaration, the trustedRootCertificates object will take a Properties parameter named "keyVaultSecretId". This implies to me that it should work to retrieve the trusted root certificate from Key Vault.

However, it does not seem that I can import a certificate without a private key into KV. (Indeed, the FAQ says you cannot.) So how do I make use of the keyVaultSecretId? Do I create a Secret in the KV rather than a Certificate, with the base64 public key as the Value?

Thanks,
Eric

Answer 1

I was able to get this working. In order to use a keyvault for the backend root certificate:

1. Put the public key in a keyvault as the value of a Secret (not a Certificate). No header, footer, or line breaks.
2. In your App Gateway template, insert a trustedRootCertificates block, and in Properties, use the keyVaultSecretId key. Its value will be the full path to the secret (https://<keyvaulturl>/secrets/<secretname>)
3. Reference the above in the backendHTTPSettingsCollection portion of the App Gateway.