Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,213 questions
Issue creating App Gateway using New-AzApplicationGateway with invalid certificate data
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 64%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Stan Spotts
15
Reputation points
I am trying to create an app gateway using New-AzApplicationGateway but keep getting an error that says "Data for certificate /subscriptions.../trustedRootCertificates/allowlistcert1 is invalid." I have two .cer files; one from my network admin and another downloaded from AKV from a .pxm file. I am using the following PowerShell script:
$trustedRootCert = New-AzApplicationGatewayTrustedRootCertificate -Name "allowlistcert1" -CertificateFile '.\wildcard.cer'
If I use the certificate from my admin, the command completes successfully, but if I use the other certificate, I receive an error that states "Cannot find the requested object." The only difference I see between the two certificates is that the one giving me an error does not have the "-----BEGIN CERTIFICATE-----" and "----END CERTIFICATE-----" lines, and it's one long line, while the other includes the lines and has line breaks every 64 characters.
I have set up everything documented here: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway. I execute the following setup:
$trustedRootCert = New-AzApplicationGatewayTrustedRootCertificate -Name "allowlistcert1" -CertificateFile $trustedRootCertCerPath
# configure HTTP backend settings for app gateway
$apimPoolGatewaySetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolGatewaySetting" `
-Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimGatewayProbe `
-TrustedRootCertificate $trustedRootCert -PickHostNameFromBackendAddress -RequestTimeout 180
$apimPoolPortalSetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolPortalSetting" `
-Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimPortalProbe `
-TrustedRootCertificate $trustedRootCert -PickHostNameFromBackendAddress -RequestTimeout 180
$apimPoolManagementSetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolManagementSetting" `
-Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimManagementProbe `
-TrustedRootCertificate $trustedRootCert -PickHostNameFromBackendAddress -RequestTimeout 180
# Configure backend IP address pool for each APIM endpoint
$apimGatewayBackendPool = New-AzApplicationGatewayBackendAddressPool -Name "gatewaybackend" `
-BackendFqdns $gatewayHostname
$apimPortalBackendPool = New-AzApplicationGatewayBackendAddressPool -Name "portalbackend" `
-BackendFqdns $portalHostname
$apimManagementBackendPool = New-AzApplicationGatewayBackendAddressPool -Name "managementbackend" `
-BackendFqdns $managementHostname
# Create basic routing rules for app gateway
$gatewayRule = New-AzApplicationGatewayRequestRoutingRule -Name "gatewayrule" `
-RuleType Basic -HttpListener $gatewayListener -BackendAddressPool $apimGatewayBackendPool `
-BackendHttpSettings $apimPoolGatewaySetting -Priority 10
$portalRule = New-AzApplicationGatewayRequestRoutingRule -Name "portalrule" `
-RuleType Basic -HttpListener $portalListener -BackendAddressPool $apimPortalBackendPool `
-BackendHttpSettings $apimPoolPortalSetting -Priority 20
$managementRule = New-AzApplicationGatewayRequestRoutingRule -Name "managementrule" `
-RuleType Basic -HttpListener $managementListener -BackendAddressPool $apimManagementBackendPool `
-BackendHttpSettings $apimPoolManagementSetting -Priority 30
# configure number of instances and tier for app gateway
$sku = New-AzApplicationGatewaySku -Name "WAF_v2" -Tier "WAF_v2" -Capacity 2
# configure the WAF mode
$config = New-AzApplicationGatewayWebApplicationFirewallConfiguration -Enabled $true -FirewallMode "Prevention"
# Set TLS 2.0 policy
$policy = New-AzApplicationGatewaySslPolicy -PolicyType Predefined -PolicyName AppGwSslPolicy20220101
This complete without errors, but when I attempt to create the App Gateway using the code below, I receive the invalid certificate data error message.
$appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $resGroupName -Location $location `
-BackendAddressPools $apimGatewayBackendPool,$apimPortalBackendPool,$apimManagementBackendPool `
-BackendHttpSettingsCollection $apimPoolGatewaySetting, $apimPoolPortalSetting, $apimPoolManagementSetting `
-FrontendIpConfigurations $fipconfig01 -GatewayIpConfigurations $gipconfig -FrontendPorts $fp01 `
-HttpListeners $gatewayListener,$portalListener,$managementListener `
-RequestRoutingRules $gatewayRule,$portalRule,$managementRule `
-Sku $sku -WebApplicationFirewallConfig $config -SslCertificates $certGateway, $certPortal, $certManagement `
-TrustedRootCertificate $trustedRootCert -Probes $apimGatewayProbe, $apimPortalProbe, $apimManagementProbe `
-SslPolicy $policy
When I look at $trustedRootCert, it shows that the cert data seems valid.
$trustedRootCert | fl
Data : MIIG+jCCBeKgAwIBAgIQCQKKo5Ed9TuX+jxfNIneKDA (the rest of the cert data,
zU=
ProvisioningState :
Type :
Name : allowlistcert1
Etag :
Id : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ResourceGroupNotSet/providers/Microsoft.Network/applicationGateways/ApplicationGatewayNameNotSet/trustedRootCertificates/allowlistcert1
I have tried various certificates but haven't had any success. The certificate is a wildcard cert used for SSL on web sites. Can anyone help me resolve this issue?
Azure Application Gateway
{count} votes
-
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator2023-12-26T03:49:30.91+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are facing issue with one of the Trusted Backend Certificates.
- May I ask how are you getting/exporting these certificates?
- Are you using Self-signed certificates?
- Or was this issues by some well-known CA?
- This document explains what is expected from a backend trusted root certificate : certificates to allow the backend with Azure Application Gateway.
- It looks like the proper format should contain header and footer (i.e., "-----BEGIN CERTIFICATE-----" and "----END CERTIFICATE-----" )
The best way to check this is to upload the certificate to a backend HTTP Setting via Portal and see if that succeeds or not.
Cheers,
Kapil
-
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator
2023-12-27T04:37:54.9233333+00:00 Can you please update us if the action plan provided was helpful?
Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Thanks,
Kapil
-
Stan Spotts 15 Reputation points
2023-12-28T05:27:19.9433333+00:00 Sorry, holiday got in the way :). Will supply response asap.
-
Stan Spotts 15 Reputation points
2023-12-28T05:32:21.5633333+00:00 The original certificates were supplied by our network admin, obtained from DigiCert. I've since created self-signed certificates and have gotten a different error.
New-AzApplicationGateway: Resource /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/apim-test-rg/providers/Microsoft.Network/applicationGateways/mobiliti-api-ag/trustedRootCertificates/allowlistgw1 referenced by resource /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/apim-test-rg/providers/Microsoft.Network/applicationGateways/mobiliti-api-ag/backendHttpSettingsCollection/apimPoolGatewaySetting was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.I also changed it so the dev portal, gateway, and management portal all get their own certificates.
$TrustedRootCert = New-AzApplicationGatewayTrustedRootCertificate -Name "allowlistroot1" -CertificateFile "$($trustedRootCertCerPath)root.cer" $gatewayTrustedRootCert = New-AzApplicationGatewayTrustedRootCertificate -Name "allowlistgw1" -CertificateFile "$($trustedRootCertCerPath)gateway.cer" $portalTrustedRootCert = New-AzApplicationGatewayTrustedRootCertificate -Name "allowlistport1" -CertificateFile "$($trustedRootCertCerPath)portal.cer" $managementTrustedRootCert = New-AzApplicationGatewayTrustedRootCertificate -Name "allowlistmgt1" -CertificateFile "$($trustedRootCertCerPath)management.cer" # configure HTTP backend settings for app gateway $apimPoolGatewaySetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolGatewaySetting" ` -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimGatewayProbe ` -TrustedRootCertificate $gatewayTrustedRootCert -PickHostNameFromBackendAddress -RequestTimeout 180 $apimPoolPortalSetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolPortalSetting" ` -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimPortalProbe ` -TrustedRootCertificate $PortalTrustedRootCert -PickHostNameFromBackendAddress -RequestTimeout 180 $apimPoolManagementSetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolManagementSetting" ` -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimManagementProbe ` -TrustedRootCertificate $ManagementTrustedRootCert -PickHostNameFromBackendAddress -RequestTimeout 180 -
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator
2023-12-29T04:51:31.24+00:00 If the certificates were issued by a well know provider, such as DigiCert, then you do not have to upload a TrustedCertificate.
Instead, you can select "Use Well Known CA Certificate".
The above is the recommended approach.
- If you are trying to create/export a Trusted Root Certificate from an certificate issued by a well know provider, please don't
- Instead, just enable "Use Well Known CA Certificate".
-
- End-to-end TLS by using Application Gateway : https://learn.microsoft.com/en-us/azure/application-gateway/end-to-end-ssl-portal#add-authenticationroot-certificates-of-backend-servers
-
NOTE :
- Self-signed certificate indicates a certificate where the issuing party is yourself
- However, in your case, you have mentioned it is Digicert.
- I am not sure how "Self-signed" comes into picture at all.
Cheers,
Kapil
-
Stan Spotts 15 Reputation points
2023-12-31T20:26:21.46+00:00 I'm doing all of this with PowerShell, so no checkboxes. I'm looking for the scripted equivalent of that checkbox now.
Self-signed came into the picture because I could not get anything to work with the digicert certificates our network admin supplied, and since he's on vacation I can't find out much about how they were created. So I created self-signed certs.
But I still don't know why I get this error with them.
New-AzApplicationGateway: Resource /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/apim-test-rg/providers/Microsoft.Network/applicationGateways/mobiliti-api-ag/trustedRootCertificates/allowlistgw1 referenced by resource /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/apim-test-rg/providers/Microsoft.Network/applicationGateways/mobiliti-api-ag/backendHttpSettingsCollection/apimPoolGatewaySetting was not found. Please make sure that the referenced resource exists, and that both resources are in the same region. -
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator
2024-01-03T13:31:10.03+00:00 Creating a self signed certificate means, you get 2 certificates and you must do 2 things.
- Make sure the root certificate is uploaded to Application Gateway's HTTP Settings
- and Configure the client certificate in your backend server's TLS settings
Can you confirm if you are able to do Step 2?
- Because, the backend may already be using a client certificate.
- In that case, you cannot create a self-signed trusted root certificate
- And if you just upload the self-signed, this will not work.
If you have a proper certificate issued by a well-known CA, I would suggest you reach out to your Network Admin and use that certificate only.
The error message,
New-AzApplicationGateway: Resource /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/apim-test-rg/providers/Microsoft.Network/applicationGateways/mobiliti-api-ag/trustedRootCertificates/allowlistgw1 referenced by resource /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/apim-test-rg/providers/Microsoft.Network/applicationGateways/mobiliti-api-ag/backendHttpSettingsCollection/apimPoolGatewaySetting was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.
Indicates either
- you have not uploaded a trusted root certificate to the App gateway
or
- the name "allowlistgw1" is not correct.
The PowerhSell way to
1.Upload a certificate to App gateway:
$gw=Get-AzApplicationGateway -Name appgwv2 -ResourceGroupName rgOne Add-AzApplicationGatewayTrustedRootCertificate ` -ApplicationGateway $gw ` -Name CustomCARoot ` -CertificateFile "PATH/CERTIFICATE.cer" $trustedroot = Get-AzApplicationGatewayTrustedRootCertificate ` -Name CustomCARoot ` -ApplicationGateway $gw2.Use the certificate in a BackendHTTPSettings:
Add-AzApplicationGatewayBackendHttpSettings ` -ApplicationGateway $gw ` -Name testbackend ` -Port 443 ` -Protocol Https ` -Probe $probe ` -TrustedRootCertificate $trustedroot ` -CookieBasedAffinity Disabled ` -RequestTimeout 20 ` -HostName <YOUR SERVER SNI HOST NAME>The parameter is "-TrustedRootCertificate"
You can follow this : https://learn.microsoft.com/en-us/azure/application-gateway/self-signed-certificates#azure-powershell to upload a trusted root certificate and use it in a BackendHTTPSettings.
P.S : You have to create an App gw first to upload a TrustedRootCertificate.
Cheers,
Kapil
-
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator
2024-01-04T12:02:47.6633333+00:00 May I know if you got a chance to review my previous comment?
Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.
Thanks,
Kapil
Sign in to comment
Sign in to answer