Azure WebApp custom domain not auto-update binding from KeyVault Certificate

ozbobwa 21 Reputation points
2024-05-03T09:10:54.7+00:00

I have a webapp and a custom domain, secured with a SSL certificate binding and the externally provided and uploaded certificate in KeyVault.

The certificate was updated and a new version recorded in KeyVault.

Today when the original cert expired, the new cert was not bound to the custom domain.

When an azure webapp has a custom domain

and the certifcate is in KeyVault

and it is secured with a binding to a SSL certificate

When the KeyVault Certification is updated

and the original certificate expires

Expect the new KeyVault certificate to be used in the binding of the WebApp custom domain.

Today when the original cert expired, the new cert was not bound to the custom domain, I had to manually update it by choosing the new KeyVault certificate binding.

How do i configure Azure Keyvault and Azure WebApp to auto-update the certificate binding?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,986 questions
{count} votes

1 answer

Sort by: Most helpful
  1. VenkateshDodda-MSFT 18,946 Reputation points Microsoft Employee
    2024-05-06T10:52:04.1166667+00:00

    @ozbobwa Thanks for your response and follow-up questions on this.

    1.You say "If the secret version isn't specified", I am using a certificate not a secret, and i am not specifiying the Keyvault certificate version. Could the Azure WebApp have stored the version ID of the KeyVault certificate?

    Sorry for the confusion here, the above information is related to key vault secret rotation.

    2."automatically updates ... using the latest version within 24 hours" I will upload my new RapidSSL certificate file into keyVault and wait 24 hours. If the certificate has not automatically updated I will report back. Were you refering to this feature? https://azure.microsoft.com/en-us/updates/automated-key-rotation-in-azure-key-vault-is-now-available/ there is reference to this document: https://learn.microsoft.com/en-au/azure/key-vault/keys/how-to-configure-key-rotation but I am not sure that will work if my certificate originates from an external CA.

    It is clearly called out in the documentation here, that if you update the certificate in keyvault App service will automatically sync the certificate within 24 hours.
    User's image
    For more information you can refer to when updating(renew) a certificate section in this documentation.

    User's image

    Hope this helps, let me know if you have any further questions on this.