Mismatch in Common Name of certificate in Application Gateway backend setting and self-signed certificate issue

TinaY 20 Reputation points Microsoft Employee
2023-11-02T16:57:34.0866667+00:00

I have an Application Gateway (V2 SKU) and VM within an Azure Vnet. The VM has a private IP address. Using the backend setting, I want to route traffic to port 8092 on the VM using HTTPS, thus it asks me to upload the root certificate. The VM is serving an API, and it is using a self-signed cert. The error I get is that the Common Name of the leaf certificate mismatches with the backend setting host name. I understand that a self-sign certificate which is not a Certificate Authority will not be accepted, so I have some questions:

  1. Is it possible to make App Gateway accept the certificate for testing purposes?
  2. My VM has no domain name, so I'm not able to get certified by a CA with a proper Common Name as private IP address will not suffice. Please help.
  3. If I generate self-signed cert with custom root CA, what should the CN be?

Below is a screenshot of the error:

MicrosoftTeams-image (2)

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
6,305 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
841 questions
Accepted answer
  1. KapilAnanth-MSFT 27,916 Reputation points Microsoft Employee
    2023-11-03T04:23:36.51+00:00

    @TinaY

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to configure end to end TLS with Application Gateway.

    While a self-signed certificate is not recommended for production traffic, azure application gateway is perfectly capable of supporting a self-signed certificate provided it is properly configured.

    Now to address your queries,

    #1 Is it possible to make App Gateway accept the certificate for testing purposes?

    • As stated above, App Gateway can be configured to work with self-signed certificate

    #2 My VM has no domain name, so I'm not able to get certified by a CA with a proper Common Name as private IP address will not suffice. Please help

    • It does not matter that your VM has no domain name, it actually depends upon the application running inside.
    • I believe you own a domain (such as fabrikam.com) by which you'd like to access the application gateway.
    • As long as you own this domain, a CA can issue certificate for any of the subdomain (such as www.fabrikam.com or app.fabrikam.com) or even wildcard (*.fabrikam.com) as CN.
    • You should configure the application running inside the VM, to use this certificate and accept traffic via "www.fabrikam.com" or any such domain.
      • This is not the property of the VM and generally, getting a CN as private IP is not a good approach.
    • For Apache and IIS applications, refer here

    #3 If I generate self-signed cert with custom root CA, what should the CN be?

    • The CN should be whatever the domain/FQDN you would want to access the VM with.
    • It can be same as the FQDN used in front of Application gateway or different.
    • Only thing to consider is, the custom root CA's CN and your backend servers' CN should be different.
      • For e.g., if you want the server certificate's CN to be www.fabrikam.com, then the CN for the issuer can be www.contoso.com and
    • A detailed analysis on how to properly create an Azure Application Gateway self-signed certificate with a custom root CA is given here

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest