This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 90%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Hello all.
I have been suffering for weeks now. In Azure Premium firewall, I want t enable TLS inspection. That requires a Certificate I the key vault. That certificate has special requirements with the most complicated being "CA" = true. This value would indicate I am a certificate authority and no vendor will do this. I have talked with Digicert and Godaddy, along with four others.
So how do I enable TLS inspection and have an internal certificate that can be installed on all the VM's?
The actual details from Microsoft are:
Ensure your CA certificate complies with the following requirements:
• When deployed as a Key Vault secret, you must use Password-less PFX (Pkcs12) with a certificate and a private key.
• It must be a single certificate, and shouldn’t include the entire chain of certificates.
• It must be valid for one year forward.
• It must be an RSA private key with minimal size of 4096 bytes.
• It must have the KeyUsage extension marked as Critical with the KeyCertSign flag (RFC 5280; 4.2.1.3 Key Usage).
• It must have the BasicContraints extension marked as Critical (RFC 5280; 4.2.1.9 Basic Constraints).
• The CA flag must be set to TRUE.
• The Path Length must be greater than or equal to one.
Hi @Steven Davis ,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are trying to configure TLS inspection in Azure Firewall and would like to know the certificate requirements.
I see you have created a support incident with us, I shall track it and keep this thread updated.
Meanwhile, in case you have a TestEnvironment, can you try using Self-signed certificate and check if that is working or not?
Refer : Create your own self-signed CA certificate
Cheers,
Kapil
Hello.
The certificate I need is for a production environment. The article says that self-signed certificates are only for testing.
After I test how do I create the certificate to be used in production for the long term?
Hi @Steven Davis ,
Since you already have an existing support request open with our team, I would suggest you wait for their updates.
Let us know if we can be of any other assistance.
Cheers,
Kapil
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 26%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI4%3C/text%3E%3C/svg%3E)
Hi @Steven Davis , did you end up finding a solution? Facing the exact same situation. Thank you!
Duplicate comment. Please delete
As of 2/3/23 I have not found a resolution to the certificate problem. Microsoft support says it is out of the scope of a support contract. :(
This is hardly ideal however I can understand he position of the certificate vendors and Microsoft. There is a way out: create your own CA certificate for TLS inspection and install it on the Premium Firewall and also into the VMs and any other Azure services you want to traverse the firewall for TLS inspection so these services know to trust your custom CA certificate. Sounds like a fair amount of work but it is what it is - after all you're trying to man-in-the-middle TLS so you need to ensure your VMs and services explicitly trust your custom CA-issued certificates. Just make sure nobody has access to the private key of the CA certificate apart from the Azure Premium Firewall and that you are not using the CA certificate to issue any other certs.
I can understand the position of the certificate vendors and Microsoft. Fortunately, there is a way out, although requiring more work: create your own CA or Subordinate CA certificate and install it on the Premium Firewall and also into the VMs and any other Azure services you want traversing the firewall for TLS inspection so that these services know to trust your custom CA certificate. Sounds like a bit of work but it is what it is - after all you're trying to man-in-the-middle TLS so you need to ensure your VMs and services explicitly trust your custom CA certificate and therefore all the certificates that the firewall will be generating dynamically using that CA cert. Just make sure nobody has access to the private key of the CA certificate apart from the Azure Premium Firewall and that you are not using the CA certificate to issue any other certs.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 34%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Hey, I am facing the same issue. We are using godaddy, but couldn't figure out how to do this. Self signed process is working, but then don't want to do the manual stuff on trusting the cert on each client.
Does any one have used this use case?
My end result was to call Western NRG (805) 658-0800 a consultant I know that works on SonicWalls. They install a VM and configured it all. Saves a lot of hair pulling.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 96%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECN%3C/text%3E%3C/svg%3E)
For anyone else stumbling into this, I found this blog post a LOT more helpful than the official docs which I found rather esoteric on specifics: