Renewing Certificates stored in KeyVault using the App Service Certificate before the expiry date with no outage?

EnterpriseArchitect 5,516 Reputation points
2024-11-25T05:23:12.5266667+00:00

I need your help and clarification regarding Replacing and updating the KeyVault stored Wildcard SSL Certificate with the new Azure App Service Certificate.

The existing wildcard Azure App Service Certificate is saved or exported to Azure KeyVault, however, when I check from the App Service Certificate | Export Certificate page, and then click on the Open Key Vault Secret link the CURRENT VERSION certificate thumbprint is not the same.

What are the steps and the procedure I must follow to avoid outage and downtime when replacing the certificate above before the expiry date?

Any help would be greatly appreciated.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,336 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,057 questions
{count} votes

Accepted answer
  1. Bhasker Donthu 940 Reputation points Microsoft Vendor
    2024-11-26T07:55:45.0733333+00:00

    Hello @EnterpriseArchitect,

    Thank you for posting your query on Microsoft Q&A.

    Correct my understanding on your ask, you want to replace the certificate of wildcard SSL stored in key vault with Azure App service certificate.
    Before providing the solution, I want to know more details on below point.
    1.Was the existing certificate purchased as an Azure App Service Certificate, and was auto-renewal enabled? If so, you can reuse the same certificate.

    2.You mentioned that the existing wildcard Azure App Service Certificate is saved or exported to Azure Key Vault and the App Service Certificate | Export Certificate page, when you click the Open Key Vault Secret link, the CURRENT VERSION certificate thumbprint does not match. Could you provide screenshots for clarity?

    Additionally, here are the few steps to Avoid Maximum Downtime:

    1. Purchased the certificate from azure service certificate.
    2. To start the process, select Rekey. This process can take 1-10 minutes to complete.
    3.  You might also be required to reconfirm domain ownership. For more info, please refer to https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?tabs=portal
      4.After the rekey operation completes, select Sync.
    4. Upload it to key vault.
    5. Verify the Certificate Binding:
    • Ensure that the new certificate is correctly bound to your App Service.
    • Check the certificate thumbprint to confirm it matches the new certificate.

    7.Monitor and Validate:

    • Monitor your application to ensure there are no issues with the new certificate.
    • Validate that the new certificate is being used by accessing your application and checking the certificate details in the browser

    8.Once you have confirmed that the new certificate is working correctly, you can remove the old certificate version from Key Vault to avoid confusion.

    For more details, please refer to https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?tabs=portal

    https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2CRBAC

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.