Steps and the procedure to update the SSL certificate for Application Gateway with no downtime?

EnterpriseArchitect 6,041 Reputation points
2023-02-13T06:20:30.64+00:00

What are the steps I can follow to update the certificate for the Application Gateway with no downtime?

The Certificate is already stored in the Azure KeyVault.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,216 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator
    2023-02-14T14:30:38.22+00:00

    Hello @EnterpriseArchitect ,

    I understand that you would like to integrate your Application gateway with Key vault for certificate management and would like to know how to implement the same without any downtime.

    Azure Application Gateway supports integration with Key Vault for server certificates that are attached to HTTPS-enabled listeners. This support is limited to the Application Gateway v2 SKU.

    Azure Application Gateway integration with Key Vault supports both Vault access policy and Azure role-based access control permission models.

    Refer: https://learn.microsoft.com/en-us/azure/application-gateway/key-vault-certs

    To integrate Key vault with Application Gateway for SSL on an existing HTTPS listener, you can follow the below steps:

    • Obtain a user-assigned managed identity for your Application Gateway.
    • Define access policies to use the user-assigned managed identity with your Key Vault.
    • If you're using the permission model Vault access policy: Select Access Policies, select + Add Access Policy, select Get for Secret permissions, and choose your user-assigned managed identity for Select principal. Then select Save.
    • If you're using Azure role-based access control, follow the article Assign a managed identity access to a resource and assign the user-assigned managed identity the Key Vault Secrets User role to the Azure Key Vault.
      • Specifying Azure Key Vault certificates that are subject to the role-based access control permission model is not supported via the portal.
      • Using PowerShell/CLI:
      1. Get the secret ID from Key Vault and specify the secret ID from Key Vault in your Application Gateway.
      2. Commit the changes to the Application Gateway.
      3. Once the commands have been executed, you can navigate to your Application Gateway in the Azure portal.
    • In your Application gateway, click the Listeners tab and select your existing listener.
    • Under Choose a certificate, select "Create new" and "Choose a certificate from Key Vault".
    • And then enter a certificate name, select managed identity and choose the certificate uploaded to your Key Vault.
    • Once selected, click Save to apply the referenced Key Vault certificate to the listener.

    As soon as you save the Application gateway, the newly referenced certificate from Key vault will be the one that is presented on new client requests, and you can safely remove/delete the traditional certificate from the listener (if you want) or keep it in the configuration to reference it later (whichever step works for you).

    Refer the below docs for detailed tutorials with screenshots:

    https://learn.microsoft.com/en-us/azure/application-gateway/key-vault-certs#how-integration-works

    https://learn.microsoft.com/en-us/azure/application-gateway/configure-key-vault-portal

    NOTE: It is important to consider any impact on your Application Gateway resource when making changes or revoking access to your Key Vault resource. In case your application gateway is unable to access the associated key vault or locate the certificate object in it, it will automatically put that listener in a disabled state.

    Refer: https://learn.microsoft.com/en-us/azure/application-gateway/key-vault-certs#investigating-and-resolving-key-vault-errors

    https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-key-vault-common-errors#application-gateway-error-codes

    In case of end-to-end SSL, if you are using a well-known certificate authority for your backend certificate, then you don't have to change the http setting when you upgrade the certificate in the backend. Changes done to the Application gateway V2 are a lot faster.

    So, as long as there are no issues with the configured Key vault and your application gateway is able to access the associated key vault, there should be no downtime in updating the certificate except the time normally required to save Application gateway changes.

    When Application Gateway is configured to use Key Vault certificates and you rotate certificates in KeyVault, Application gateway will automatically pick up the change after 4 hours.

    Refer: https://learn.microsoft.com/en-us/azure/application-gateway/renew-certificates

    NOTE:

    • Application Gateway only supports certificates in Personal Information Exchange (PFX) format. You can either import an existing certificate or create a new one in your Key Vault. To avoid any failures, ensure that the certificate's status is set to Enabled in Key Vault. Refer: https://learn.microsoft.com/en-us/azure/application-gateway/key-vault-certs#certificate-settings-in-key-vault
    • The Azure portal supports only Key Vault certificates, not secrets. Application Gateway still supports referencing secrets from Key Vault, but only through non-portal resources like PowerShell, the Azure CLI, APIs, and Azure Resource Manager templates (ARM templates).
    • References to Key Vaults in other Azure subscriptions is supported, but must be configured via ARM Template, Azure PowerShell, CLI, Bicep, etc. Cross-subscription key vault configuration is not supported by Application Gateway via Azure Portal today.

    To renew certificates uploaded directly to Application gateway listener, you can follow the below:

    https://learn.microsoft.com/en-us/azure/application-gateway/renew-certificates#certificates-on-an-application-gateway

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.