Does an auto renewing App Service Certificate also update the certificate's KeyVault secret?

Question

Does an auto renewing App Service Certificate also update the certificate's KeyVault secret?

TomA 0

I have a wild card App Service Certificate which has auto-renewed this week. I can see that the linked private certificates haven't yet been sync'd with the new thumbprint of the certificate but as I understand it from reading the documentation, these should get sync'd when the certificate's secret in key vault is updated.
User's image

When I look at the secret in Key Vault I can see that the current version has an expiry date which matches the previous cert's expiry date

User's image

My question is, do I need to do anything here or will a new version of this secret be created automatically and my private linked certificates be sync'd automatically?

Divyesh Govaerdhanan 6,400 Reputation points

2025-02-21T02:45:45.8966667+00:00
Hello,

Welcome to Microsoft Q&A,

When your Azure App Service Certificate auto-renews, Azure manages the renewal process, including updating the certificate stored in Azure Key Vault and syncing it with your associated App Services. https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate

Automatic Renewal and Sync Process:

Key Vault Update: Upon auto-renewal, Azure updates the certificate in Key Vault with a new version. This new version has an updated expiry date, reflecting the renewal.

App Service Sync: Azure automatically syncs the renewed certificate from Key Vault to your App Service apps. This sync process typically occurs within 24 hours of the certificate's renewal.

Manual Sync (If Necessary):

If you notice that the renewed certificate hasn't propagated to your App Service after 24 hours, you can initiate a manual sync:

Access App Service Certificates:

In the Azure portal, go to App Service Certificates.

Select your certificate from the list.

Initiate Sync:

Click on "Rekey and Sync" in the left-hand menu.

Then, select "Sync" to manually synchronize the renewed certificate with your App Service.

https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate

Please Upvote and Accept the answer if it helps!!
TomA 0 Reputation points

2025-02-21T10:09:23.8966667+00:00
double post
TomA 0 Reputation points

2025-02-21T10:39:19.1466667+00:00

Thanks for this. I tried a manual sync as outlined in your post and while I got a notification saying that the linked certificates had been sync'd, they still show as out of sync with the previous version of the certificate's thumbprint. I also noticed that the secret in Key Vault does not have a new version either so I'm guessing that is the root of the problem here?
Divyesh Govaerdhanan 6,400 Reputation points

2025-02-21T13:26:57.4266667+00:00
Thank you for keeping us posted, Could you please confirm the Status of the wildcard certificate?

In the App Service Certificates.

Locate your wildcard certificate and check:

Status: It should be "Issued" or "Valid", not "Pending Renewal."

Expiration Date: Ensure that it reflects the new renewal period and started.
TomA 0 Reputation points

2025-02-21T15:54:11.1533333+00:00

My certificate status is "Issued" with an expiry date of March 2026
Laxman Reddy Revuri 5,405 Reputation points Microsoft External Staff Moderator

2025-02-25T09:48:22.0166667+00:00

Hi @TomA
Since your certificate status is "Issued" with an expiry date of March 2026, it confirms that the renewal was successful. However, since Key Vault secret hasn't updated, the new certificate isn't propagating to your App Services.

1.Go to Azure Portal → Key Vault

Navigate to Secrets → Find your certificate

Click on it and check the versions

If only the old version exists, then Key Vault has not received the update.

2.Check If the Key Vault Secret Updates

Go back to Key Vault → Secrets and refresh

If a new version appears, your App Service should now sync with the updated certificate

If no new secret appears even after "Rekey and Sync," you may need to:

Check Key Vault Activity Logs for any errors.

Manually import the renewed certificate into Key Vault as a workaround.
references:
https://learn.microsoft.com/en-us/azure/key-vault/certificates/overview-renew-certificate?tabs=azure-portal
Laxman Reddy Revuri 5,405 Reputation points Microsoft External Staff Moderator

2025-02-26T11:58:17.3133333+00:00

Hi @TomA
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
TomA 0 Reputation points

2025-02-26T16:51:47.0266667+00:00

Sorry for the lack of a reply, I just got back into the office today. I have had a look and don't see anything in the Key Vault activity logs and no new secret appears after a sync so I think I am going to have to manually import it into the Key Vault. I have backed up the current certificate secret and will remove the secret tomorrow and go through the steps to re-add and resync that and see what happens.
TomA 0 Reputation points

2025-02-27T11:26:40.79+00:00

I have tried completely rekeying and sync'ing the certificate and can see it issue a new cert (the thumbprint on the app service certificate changes), but still doesn't seem to update the key vault secret.

Since the last time the certificate was renewed, we switched the key vault over from using Access Policies over to Access control (IAM) and I wonder if that has broken the ability for the app service certificate to update the secret?

2 answers

Your answer

Divyesh Govaerdhanan 6,400 Reputation points

2025-02-21T02:45:45.8966667+00:00

Hello,

Welcome to Microsoft Q&A,

When your Azure App Service Certificate auto-renews, Azure manages the renewal process, including updating the certificate stored in Azure Key Vault and syncing it with your associated App Services. https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate

Automatic Renewal and Sync Process:

Key Vault Update: Upon auto-renewal, Azure updates the certificate in Key Vault with a new version. This new version has an updated expiry date, reflecting the renewal.

App Service Sync: Azure automatically syncs the renewed certificate from Key Vault to your App Service apps. This sync process typically occurs within 24 hours of the certificate's renewal.

Manual Sync (If Necessary):

If you notice that the renewed certificate hasn't propagated to your App Service after 24 hours, you can initiate a manual sync:

Access App Service Certificates:

In the Azure portal, go to App Service Certificates.

Select your certificate from the list.

Initiate Sync:

Click on "Rekey and Sync" in the left-hand menu.

Then, select "Sync" to manually synchronize the renewed certificate with your App Service.

https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate

Please Upvote and Accept the answer if it helps!!
TomA 0 Reputation points

2025-02-21T10:09:23.8966667+00:00

double post
TomA 0 Reputation points

2025-02-21T10:39:19.1466667+00:00

Thanks for this. I tried a manual sync as outlined in your post and while I got a notification saying that the linked certificates had been sync'd, they still show as out of sync with the previous version of the certificate's thumbprint. I also noticed that the secret in Key Vault does not have a new version either so I'm guessing that is the root of the problem here?
Divyesh Govaerdhanan 6,400 Reputation points

2025-02-21T13:26:57.4266667+00:00

Thank you for keeping us posted, Could you please confirm the Status of the wildcard certificate?

In the App Service Certificates.

Locate your wildcard certificate and check:

Status: It should be "Issued" or "Valid", not "Pending Renewal."

Expiration Date: Ensure that it reflects the new renewal period and started.
TomA 0 Reputation points

2025-02-21T15:54:11.1533333+00:00

My certificate status is "Issued" with an expiry date of March 2026
Laxman Reddy Revuri 5,405 Reputation points Microsoft External Staff Moderator

2025-02-25T09:48:22.0166667+00:00

Hi @TomA
Since your certificate status is "Issued" with an expiry date of March 2026, it confirms that the renewal was successful. However, since Key Vault secret hasn't updated, the new certificate isn't propagating to your App Services.

1.Go to Azure Portal → Key Vault

Navigate to Secrets → Find your certificate

Click on it and check the versions

If only the old version exists, then Key Vault has not received the update.

2.Check If the Key Vault Secret Updates

Go back to Key Vault → Secrets and refresh

If a new version appears, your App Service should now sync with the updated certificate

If no new secret appears even after "Rekey and Sync," you may need to:

Check Key Vault Activity Logs for any errors.

Manually import the renewed certificate into Key Vault as a workaround.
references:
https://learn.microsoft.com/en-us/azure/key-vault/certificates/overview-renew-certificate?tabs=azure-portal
Laxman Reddy Revuri 5,405 Reputation points Microsoft External Staff Moderator

2025-02-26T11:58:17.3133333+00:00

Hi @TomA
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
TomA 0 Reputation points

2025-02-26T16:51:47.0266667+00:00

Sorry for the lack of a reply, I just got back into the office today. I have had a look and don't see anything in the Key Vault activity logs and no new secret appears after a sync so I think I am going to have to manually import it into the Key Vault. I have backed up the current certificate secret and will remove the secret tomorrow and go through the steps to re-add and resync that and see what happens.
TomA 0 Reputation points

2025-02-27T11:26:40.79+00:00

I have tried completely rekeying and sync'ing the certificate and can see it issue a new cert (the thumbprint on the app service certificate changes), but still doesn't seem to update the key vault secret.

Since the last time the certificate was renewed, we switched the key vault over from using Access Policies over to Access control (IAM) and I wonder if that has broken the ability for the app service certificate to update the secret?

Answer 1

I was able to solve this - I suspected that the service used by the app service certificate renewal didn't have permissions to update the key vault secret and turns out I was correct.

To solve the issue, I had to grant secret list, read and write permissions to Microsoft.Azure.CertificateRegistration (principle id f3c21649-0979-4721-ac85-b0216b2cf413). Once I did that, when I rekeyed the certificate, the secret value was updated with the new cert and the manual sync resolved the linked app service private certificates.

Answer 2

Hi @TomA

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue :

The App Service Certificate has renewed automatically, but the secret in Key Vault hasn’t been updated with the new certificate and the linked private certificates still show the old thumbprint.

Solution :

To solve the issue, I had to grant secret list, read and write permissions to Microsoft.Azure.CertificateRegistration

Assign List, Read, and Write permissions on the Key Vault to Microsoft.Azure.CertificateRegistration (Principal ID: f3c21649-0979-4721-ac85-b0216b2cf413).
Rekey the certificate to update the secret with the new certificate.
Manually sync to update the linked private certificates in the App Service.

Please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefited from it.

Share via

Does an auto renewing App Service Certificate also update the certificate's KeyVault secret?

2 answers

Your answer