Share via

Failed to link certificate with the selected Key Vault

Elmer C. Casta 0 Reputation points
2024-01-27T11:15:34.37+00:00

Hi there, I just purchased an ssl certificate (wildchar) via appservices, however it throwns an error on the process

Failed to link certificate with the selected Key Vault. Check below errors for more detail.: The parameter keyVaultCsmId has an invalid value. Can someone help me to resolve this issue please thanks

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,934 questions

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Robert Kubaty 10 Reputation points
    2025-02-12T10:13:41.9733333+00:00

    Most suggestions on the web are about switching the Key Vault to "Vault access policy" permission model.

    I think I've made it work using RBAC model.

    On the RBAC Key Vault, assign Key Vault Administrator to Microsoft.Azure.CertificateRegistration service principal.

    After that, you can link your Certificate to this Key Vault.

    You'll probably need to assign Key Vault Certificate User and Key Vault Secrets User to service principals Microsoft Azure App Service, Microsoft.Azure.Frontdoor, etc later so they can consume the cert.

    2 people found this answer helpful.
  2. (ADM) Miguel Alonso 5 Reputation points
    2024-08-05T14:00:13.9566667+00:00

    Hello.

    The following approach worked for me:

    • Open the KeyVault that you want to access.
    • In the right menu, go to Settings, Access Configuration.
    • Update the Permission Model to Vault access policy.
    • Apply.

    Kind regards.

    User's image

    1 person found this answer helpful.
    0 comments
  3. Saravanan Ganesan 1,830 Reputation points MVP
    2024-01-28T16:22:53.1333333+00:00

    Hi Elmer , To resolve the SSL certificate linking issue in Azure App Service, ensure the Key Vault configuration is accurate. Double-check the keyVaultCsmId parameter, ensuring it contains the correct and valid Key Vault ID. Verify that your certificate and Key Vault are in the same Azure region. If issues persist, review the documentation or seek assistance from Azure support, providing detailed information on your configuration. Accurate setup of the Key Vault integration is crucial for successful SSL certificate linking in App Services. Regards, Saravanan Ganesan.

    0 comments
  4. ajkuma 28,036 Reputation points Microsoft Employee Moderator
    2024-01-29T20:35:05.5866667+00:00

    @Elmer C. Casta , Just checking in to see if you had got a chance to see the previous response.  If the answer helped (pointed, you in the right direction) > please click Accept Answer Or please share the requested/more info to help you better.

    Edit: Thanks to Ole Christian Rynning for sharing the solution that worked.   To benefit the community, posting additional suggestions on similar issues:   The error parameter keyVaultCsmId has an invalid value may occur, due to these 2 possible causes: Key Vault (KV) might be set to use RBAC or Network access tab blocking public access and not allowing trusted Microsoft services to bypass this firewall. Similar to solution outlined by  Ole.

     

    1. Ensure that  KV network is allowing public access or it has at least  trusted Microsoft services to bypass this firewall.

      Public Access Disabled (Private Endpoint Only):  To enhance network security, you can configure your vault to disable public access. This will deny all public configurations and allow only connections through private endpoints.

    Configure Azure Key Vault firewalls and virtual networks https://learn.microsoft.com/azure/key-vault/general/network-security#public-access-disabled-private-endpoint-only

          2. In case you have another certificate already installed in WebSpace. This certificate has the same certificate name but got imported using from a different Key Vault or Key Vault Secret. We can have only one certificate from a specific Key Vault and Key Vault Secret.

      For such instance/scenario, if you are trying to upload the existing certificate. You may use a different certificate name when importing. You may try uploading the new certificate into the existing Key Vault (instead of creating a new Key Vault Secret).

    0 comments
  5. Ole Christian Rynning 0 Reputation points
    2024-02-01T15:14:16.48+00:00

    I ran into this issue today myself and could not find any good answers.

    I assume you are using Azure Portal and not the JSON API like the previous answer assume.

    I.e.: Azure Portal > "App Service Certificates" > [certificate] > "Certificate Configuration" > "Step 1: Store" > "Key Vault Configuration" dialog.

    I found this helpful:
    https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/app-service-certificate-wildcard

    The issue seems to be that App Service Certificates do not support Azure RBAC key vaults at all (!!#$^#$)

    (Furthermore if you "Create a new keyvault" in the above workflow, it will create a new RBAC keyvault. I tried first to add the below principals to a RBAC keyvault, but that didn't do it for me, but YMMV).

    My fix was thus to:

    • Create a new key vault to store certificates,
    • For "Permission model" use the legacy "Vault access policy".
    • I also checked "Azure Resource Manager for template deployment" under "Resource access" for good measure (since I like az-cli, etc).
    • Under "Access policies", I created two new mappings:
    1. I selected "get" in the Secrets category and Principal (next screen): abfa0a7c-a6b6-4736-8310-5855508787cd (Microsoft Azure App Service)
    2. I selected "get, set, delete" in the Secrets, and principal: f3c21649-0979-4721-ac85-b0216b2cf413 (Microsoft.Azure.CertificateRegistration)

    After this I could select the newly created key vault in the "Step 1: Store"-dialog.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.