This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 99%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELS%3C/text%3E%3C/svg%3E)
Hi, I'm trying to use a certificate generated by key vault in one of my listeners, the problem is that when I add it and click on save, I get a notification saying:
Failed to save configuration changes to application gateway 'XXXXX'. Error: Problem occured while accessing and validating KeyVault Secrets associated with Application Gateway
I checked and the Managed Identity has all the access policies allowed in the key vault, and is used by the Listener TLS Certificate.
Which could be the problem?
Thanks.
Hello @Luca Sosa
Ok try these 3 points and if you still face issues lets schedule it
CERTIFICATE CREATION
In the Advanced Policy menu add these Flags and select 4096 for Key Size :
Finally the User Assigned Managed Identity :
Kindly mark the answer as Accepted and Upvote !
Regards
yes!! that did the trick, thank you so much for your patience
Hello @Luca Sosa !
Welcome to Microsoft QnA!
First have a look here :
Next add the Certificate Policies to the managed identity not only the Secrets
Verify that access to Key Vault is permitted from Network or no other blocks are there
Try these and tell me how it went !
--
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards
Hi, @Konstantinos Passadis I checked and my vault is set to allow all public access, and I give also all the permissions possible to the managed identity, nothing in that document is like the problem that I'm having I guess.
Please tell me if there is any else that I can try
I already try all of that, I was always using a User Managed Identity, and the Identity and me have all the permissions in the access policies section, but what you exactly mean with assign the Identity with App Gateway? for example I added a new TLS certificate and there I can specify what Managed Identity should use, but there is any other place that I should add the Managed Identity? If so, please help me with that because I didn't find any section where I can add it.
Thanks.
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
Hello @Luca Sosa
Thamks for the Input , ignore previous post ...lets solve this issue !
Kindly let me know :
Application Gateway uses a managed identity to retrieve certificates from Key Vault on your behalf.
You can either create a new user-assigned managed identity or reuse an existing with the integration. To create a new user-assigned managed identity, see Create a user-assigned managed identity using the Azure portal.
Have you seen this :
https://learn.microsoft.com/en-us/azure/application-gateway/key-vault-certs#how-integration-works
....If you're using the permission model Vault access policy: Select Access Policies, select + Add Access Policy, select Get for Secret permissions, and choose your user-assigned managed identity for Select principal. Then select Save....
ALSO
As of March 15, 2021, Key Vault recognizes Application Gateway as a trusted service by leveraging User Managed Identities for authentication to Azure Key Vault. With the use of service endpoints and enabling the trusted services option for Key Vault's firewall, you can build a secure network boundary in Azure. You can deny access to traffic from all networks (including internet traffic) to Key Vault but still make Key Vault accessible for an Application Gateway resource under your subscription.
When you're using a restricted Key Vault, use the following steps to configure Application Gateway to use firewalls and virtual networks:....rest on the LINK
--
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards
Hi @Konstantinos Passadis thanks for all the help, but is just not working for me, I went a little bit further in the logs and see that is also saying this:
Data or Password for certificate is invalid.
can be this help to see where the error is? maybe at the time to create the certificate? because in configuration I followed all the steps in the process.
Thanks again for all the help.
Hello @Luca Sosa
Well you found the source of the problem that is for sure
Now either you have wrong Password for the Certificate or it not correctly created or imported
https://learn.microsoft.com/en-us/azure/application-gateway/configure-key-vault-portal
The link says
have you created or Imported one ? pay attention to all details certificate configs are sensitive to slightest mistakes
IF you want to create it :
https://learn.microsoft.com/en-us/azure/application-gateway/tutorial-ssl-cli
--
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards
Hi @Konstantinos Passadis ,
maybe I'm getting it wrong but what I want is to create the certificate from keyvault, and activate the auto-renew so I don't have to re-create a new one in a year.
For that the only thing that I did was in Key vault create a certificate as you can see here
of course thisismydomain.com is an example, but I didn't get when I have to upload or add a password, and if I have to where I get it. I saw also the second link that you send me, but talks to create a new App Gateway, and seems like it links the Gateway with only one certificate, I need to add a few because I'm managing more than 1 website in the Gateway, Anyways, the question is if I'm generating the certificate in Key Vault, what is the issuance policy? and what should have?
Thanks, hope this helps understand better the problem.
Hello @Luca Sosa
Yes since you Generate a certificate you ahev to confgure the issuance policy
https://learn.microsoft.com/en-us/azure/application-gateway/configure-key-vault-portal
Also is the app gateway V2 ?
Create Certificate and Issuance Policy
Certificate
Also you have to enter P12 not PEM for the Certificate
Please review the steps in the link and configure the issuance Policy and select P12 [PFX[ not PEM
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards
Hi @Konstantinos Passadis I'm doing all of that but it's just not working, I'm selecting self-signed certificate, the issuance policy is the CN=mydomain.com? if it's something else, I'm not finding it, even in the documentation, please tell me if it has something to do with that, I'm using self-signed since is the only one that let me set the auto-renewal option.
Thanks.