Using RSA-HSM Certificates from Key Vault in Container Apps

Hi Tony LAUNAY,

Thanks for bringing your question to Microsoft Q&A.

I say No, Azure Container Apps can only import certificates from Key Vault if the private key is exportable (software-protected RSA/EC); HSM-protected keys (RSA-HSM/EC-HSM) are non-exportable, so ACA can’t pull the PFX into the Container Apps environment and can't use them, resulting in a generic “failed to import/use certificate” error.

Refer document: https://learn.microsoft.com/en-us/azure/key-vault/certificates/how-to-export-certificate?utm_source=chatgpt.com&tabs=azure-cli

Recommended steps to fix the issue:

Reissue the certificate in Key Vault with an exportable key

• In Key Vault →go to Certificates → click Generate/Import → then in Advanced policy: provide
• Key type: RSA (not RSA-HSM)
• Exportable private key: Yes
• Key size (2048-bit, 3072-bit, 4096-bit), content type PFX/PKCS#12.
• HSM keys are non-exportable by design; exportability is allowed only for RSA/EC software keys.

Refer document for Exportable or non-exportable keys:

https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates?utm_source

Enable the Container Apps Environment’s managed identity

• ACA Environment → Identity → turn System-assigned ON.

Grant Key Vault permissions to that identity

• Give the environment’s managed identity Key Vault Secrets User (RBAC) on the vault
• or Access Policy with get/list on secrets and certificates if you’re using access policies Go to Key Vault → Access policies → + Add Access Policy Configure permissions Secret permissions: Get, List Certificate permissions: Get, List Select principal Choose the managed identity of your Container App environment Click Add → Save
• Verify access: Test that the Container App environment can read secrets/certificates using the Key Vault URI

Refer document to Enable managed identity and grant permissions:

https://learn.microsoft.com/en-us/azure/container-apps/key-vault-certificates-manage?utm_source

Import the certificate into ACA from Key Vault

• ACA Environment → Certificates → Bring your own (.pfx) → Add → Import from Key Vault → select your vault & certificate → choose the environment’s managed identity → Add.
• The import should now succeed.
• If you get a List operation not enabled error, you’re missing Key Vault permissions, fix step 3.

Use the certificate

• Attach it to a custom domain on your Container App’s ingress, or mount/expose it as needed for mutual TLS between apps.

If you absolutely need to use a certificate from Azure Key Vault with an RSA-HSM key in a Container App,

Since ACA requires a PFX with an exportable private key, RSA-HSM certificates cannot be used directly,

the common workaround is to terminate TLS at a front-end service (like a compliant load balancer or API gateway) that supports HSM-backed keys, then forward traffic to ACA over HTTPS, noting that many Azure TLS integrations still require exportable keys.

Refer document: https://learn.microsoft.com/en-us/azure/application-gateway/key-vault-certs?utm_source

Finally, Container Apps only works with exportable certificates (RSA/EC), not RSA-HSM. To fix, recreate the cert in Key Vault as exportable and re-import, or terminate TLS at a front-end service if HSM is mandatory.

I hope the steps provided help you resolve the issue. Please let me know if you have any further queries. I am happy to assist.