API Management root ca invalid using keyvault certificate through ARM but valid manually uploaded

Declan O'Malley 6 Reputation points

Hi All,

I have an issue with APIM and root ca.

my APIM connects to appgateway over HTTPS using a self-signed certificate in my dev environment. APIM has a root ca selfsigned.mydomain.co.uk uploaded through the portal and a client certificate referencing a key vault certificate with a global policy in place to use the MTLS certificate

Appgateway is configured with a server certificate appgateway.mydomain.co.uk which is signed with a root ca called selfsigned.mydomain.co.uk . Appgateway is also configured with MTLS using another certificate appgateway-mtls.mydomain.co.uk which has the certificate chain.

this works! no problems at all. however, if I upload selfsigned.mydomain.co.uk to keyvault as a certificate, supplying the certificate password for the private key and then through my bicep template pull down the secret and assign the root ca to APIM this does not work. i get a SSL/TLS negotiation issue when connecting to app gateway.

The certificate panel in the portal displays the correct , and same, thumbprint as when manually uploading and the deployment is successful. it does take 30 mins to apply the certificate though. I am not supplying the password for the cert as the password is removed in keyvault an

example bicep. the secret appears to be base64 encoded when retrieved from keyvault so no manipulation of the object happens


param rootCertificateEncoded string

resource apiManagementService 'Microsoft.ApiManagement/service@2021-08-01' = {

  name: apiManagementServiceName

  location: rgLocation

  tags: tags

  sku: {

    name: sku

    capacity: skuCount


  properties: {

    publisherEmail: publisherEmail

    publisherName: publisherName

    publicNetworkAccess: environment == 'uat' || environment == 'prod' ? 'Disabled' : 'Enabled'





          expiry: '2024-03-07T15:52:28+00:00'

          subject: 'CN=selfsigned.mydomain.co.uk, O=Some Organisation, C=CH'

          thumbprint: 'A5459F3E2FAEA09CFF56DF6BB86E7092CEB4B412'







the runs successfully but then fails to connect to appgateway. I'm not sure what else i can try as the thumbprint is correct and APIM reports no errors. if i delete the certificate and upload manually through the portal with the same certificate it works. any suggestions?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,098 questions
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,734 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
951 questions
{count} votes