Let's Encrypt Certificate with Key Vault and Azure App Service Import Issues

Question

Let's Encrypt Certificate with Key Vault and Azure App Service Import Issues

Lucian Hanga 25

Hi comunity,

I have a wildcard certificate issued by Let's Encrypt.

I want to use this certificate with an Azure App Service. Following the instructions, I created a password-protected .pfx file using the following command:

openssl pkcs12 \
   -export \
   -out ./cert.pfx \
   -in ./fullchain.pem \
   -inkey ./privkey.pem \
   -passout pass:test123

When I try to import this .pfx file through the Azure portal using the "Bring Your Own Certificate" option, everything works smoothly. The certificate is successfully imported, and I can bind it to the custom domain.

However, when I import the same .pfx file into Azure Key Vault as a certificate, the import itself works fine. But when I attempt to import the certificate from Key Vault into the App Service, I encounter a permissions error.

I followed the steps outlined in Microsoft's documentation and assigned the App Service's Managed Identity both the "Key Vault Certificate User" and "Key Vault Secrets User" roles. This resolved the permission error, but now, when attempting to import the certificate into the App Service, I get a generic error:

An error has occurred.

Unfortunately, no further details are provided.

Upon checking the Key Vault, I noticed that the associated secret for the certificate was created, although it doesn't appear in the list of secrets. I was able to access it by name, and it appears to be a base64-encoded version of the .pfx file.

My question is: What should I do from here? How can I debug this issue? What might be causing the problem?

The reason I need the certificate in Key Vault is to automate the process of importing the certificate into the App Service using Terraform. I also need to store the certificate in Key Vault for a future GitHub Actions workflow to handle certificate renewals.

Please let me know if you need any additional information to get a clearer understanding of the issue. I haven't provided specific details here because it involves a lot of information, including extensive tokenization of sensitive information.

Thank you,
Lucian

Lucian Hanga 25 Reputation points

2024-10-01T15:48:49.39+00:00
I attempted the same setup, but this time I used Access Policies instead of RBAC. I provided the necessary Access Policies for LIST and GET permissions on Keys, Secrets, and Certificates to the Microsoft Azure App Service Principal. However, I encountered the same error:
An error has occurred—just like with RBAC.

Now, I see two possible explanations:

The certificate imported into the Key Vault is handled differently by the App Service compared to when it's imported directly into the App Service. Perhaps the certificate I imported into the Key Vault is not correctly formatted for Key Vault storage.

There is a current issue with importing a certificate from Key Vault into an App Service.

Applying Occam's Razor, I would lean toward option 1. This brings me back to the code I shared in my original question for preparing the certificate for import:

openssl pkcs12 \ -export \ -out ./cert.pfx \ -in ./fullchain.pem \ -inkey ./privkey.pem \ -passout pass:test123

This works fine when I import the certificate directly into the App Service. That much is clear.

How should I properly encode the certificate for correct import into Key Vault? I should also mention that when importing the certificate into Key Vault with the above format, the import succeeds without any warnings or errors.
Sandeep G-MSFT 21,136 Reputation points Microsoft Employee Moderator

2024-10-10T04:35:11.7166667+00:00

@Lucian Hanga

Thank you for posting this in Microsoft Q&A.

I am looking into this issue and will get back to you post my research.
Mirjana Jovanovic 15 Reputation points

2024-12-03T07:31:59.1033333+00:00

@Lucian Hanga Hi Lucian!

I hit the exact same issue you described. I see you did not get any response here, so if you are still interested....

The problem is the key length ;)

If you read the Private certificate requirements carefully, you will see that the key has to be at least 2048 bits long: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2CRBAC#private-certificate-requirements

If you check out the key that was generated by your command, you will see that ECDSA is used and the key does not satisfy the requirement. You can find more info about the supported key types and available options in the crtbot documentation: https://eff-certbot.readthedocs.io/en/stable/using.html#rsa-and-ecdsa-keys

I generated a new certificate and passed --key-type rsa parameter to certbot and everything works as a charm. I can import the certificate to my app service.

The confusing part is that you can upload a certificate with the ECDSA key to the App Service from your local machine, but the exact same certificate cannot be imported from Key Vault.
Geoff Lee 20 Reputation points

2024-12-10T13:03:41.8366667+00:00

I can confirm I was experiencing the same issue, and the suggestion from @Mirjana Jovanovic (thanks!) solved it for us. Similarly, the EC cert works fine when imported directly into the web app.

This suggests the issue is with validating the key length when importing from key Vault - @Sandeep G-MSFT , could MS confirm whether this is now a known issue that will be addressed?

1 answer

Your answer

Lucian Hanga 25 Reputation points

2024-10-01T15:48:49.39+00:00

I attempted the same setup, but this time I used Access Policies instead of RBAC. I provided the necessary Access Policies for LIST and GET permissions on Keys, Secrets, and Certificates to the Microsoft Azure App Service Principal. However, I encountered the same error:
An error has occurred—just like with RBAC.

Now, I see two possible explanations:

The certificate imported into the Key Vault is handled differently by the App Service compared to when it's imported directly into the App Service. Perhaps the certificate I imported into the Key Vault is not correctly formatted for Key Vault storage.

There is a current issue with importing a certificate from Key Vault into an App Service.

Applying Occam's Razor, I would lean toward option 1. This brings me back to the code I shared in my original question for preparing the certificate for import:

openssl pkcs12 \ -export \ -out ./cert.pfx \ -in ./fullchain.pem \ -inkey ./privkey.pem \ -passout pass:test123

This works fine when I import the certificate directly into the App Service. That much is clear.

How should I properly encode the certificate for correct import into Key Vault? I should also mention that when importing the certificate into Key Vault with the above format, the import succeeds without any warnings or errors.
Sandeep G-MSFT 21,136 Reputation points Microsoft Employee Moderator

2024-10-10T04:35:11.7166667+00:00

@Lucian Hanga

Thank you for posting this in Microsoft Q&A.

I am looking into this issue and will get back to you post my research.
Mirjana Jovanovic 15 Reputation points

2024-12-03T07:31:59.1033333+00:00

@Lucian Hanga Hi Lucian!

I hit the exact same issue you described. I see you did not get any response here, so if you are still interested....

The problem is the key length ;)

If you read the Private certificate requirements carefully, you will see that the key has to be at least 2048 bits long: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2CRBAC#private-certificate-requirements

If you check out the key that was generated by your command, you will see that ECDSA is used and the key does not satisfy the requirement. You can find more info about the supported key types and available options in the crtbot documentation: https://eff-certbot.readthedocs.io/en/stable/using.html#rsa-and-ecdsa-keys

I generated a new certificate and passed --key-type rsa parameter to certbot and everything works as a charm. I can import the certificate to my app service.

The confusing part is that you can upload a certificate with the ECDSA key to the App Service from your local machine, but the exact same certificate cannot be imported from Key Vault.
Geoff Lee 20 Reputation points

2024-12-10T13:03:41.8366667+00:00

I can confirm I was experiencing the same issue, and the suggestion from @Mirjana Jovanovic (thanks!) solved it for us. Similarly, the EC cert works fine when imported directly into the web app.

This suggests the issue is with validating the key length when importing from key Vault - @Sandeep G-MSFT , could MS confirm whether this is now a known issue that will be addressed?

Answer 1

Sina Salam 28,361 Volunteer Moderator

Hello Lucian Hanga,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are having Let's Encrypt Certificate with Key Vault and Azure App Service Import Issues.

ECC/ECDSA certs cannot be imported from Key Vault into App Service. Though it worked with App Service when uploaded as a PFX - https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate

The best practice if you need Key Vault > App Service auto‑sync: use RSA (PFX). RSA‑2048 is the standard and widely compatible, RSA‑3072/4096 also work if you prefer stronger keys. - https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate If you must use ECDSA end‑to‑end, upload the ECDSA PFX directly to App Service (not from Key Vault), since upload is supported even though Key Vault import isn’t. - https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Sina Salam 28,361 Reputation points Volunteer Moderator

2026-03-31T17:50:40.05+00:00
Hello @Lucian Hanga

Thank you for your feedback.

Kindly follow the below steps to resolve the issues:

Step 1: Let’s Encrypt supports RSA certificates. Generate RSA key with Certbot:
certbot certonly \ --dns-<your-dns-provider> \ --key-type rsa \ --rsa-key-size 2048 \ -d example.com -d '*.example.com'
The key part is --key-type rsa - this ensures compatibility with App Service via Key Vault.

Step 2: Convert to PFX
openssl pkcs12 \ -export \ -out cert-rsa.pfx \ -in fullchain.pem \ -inkey privkey.pem \ -passout pass:YourStrongPass

Step 3: Import to Azure Key Vault
az keyvault certificate import \ --vault-name MyVault \ --name MyCert \ --file cert-rsa.pfx \ --password YourStrongPass

Step 4: Assign Permissions Ensure App Service Managed Identity has:

Key Vault Certificate User

Key Vault Secrets User

Step 5: Bind to App Service, use Portal, CLI, or Terraform:
resource "azurerm_app_service_certificate_binding" "binding" { hostname_binding_id = azurerm_app_service_custom_hostname_binding.example.id certificate_id = azurerm_key_vault_certificate.mycert.id ssl_state = "SniEnabled" }

Step 6: Automate Renewal & Deployment

Option A - Use ACMEbot (Recommended): Use keyvault-acmebot GitHub project to automate Let’s Encrypt issuance and store certificates directly in Key Vault. This supports automation without manual conversion.

Option B - Terraform + Certbot + CI/CD: Use Terraform ACME provider to generate RSA cert, Upload to Key Vault via Terraform, and use Terraform to bind to App Service.

Hope this is more clearer.

Cheers.

Share via

Let's Encrypt Certificate with Key Vault and Azure App Service Import Issues

1 answer

Your answer