Azure Web App and Key Vault Certificate

Question

Azure Web App and Key Vault Certificate

Adam Marshall 20

I have multiple Windows web apps across multiple App Service plans, referencing a wildcard certificate in a Key Vault.

On the original web app that imported the certificate the first time, the web app picks up new certificates once they are expired and renewed.

In the custom domain, I can see the web app that does auto rotate expired certificates references the KeyVault certificate name, but the other web apps only reference the Thumbprint.

User's image

However, on the web apps that have manually referenced the certificate by the Thumbprint when binding (the cert cannot be "imported" again to the same App Service plan as the thumbprint cert already exists), then the keyvault rotation does not automatically update those web apps.

User's image

There doesn't appear to be any way to actually link these other web apps to use the "keyvault linked certificate'.

Why are these web apps not automatically updated to use the new certificate when it is uploaded into the Key Vault?

Silvia Wibowo 5,871 Reputation points Microsoft Employee Moderator

2025-04-27T22:52:48.09+00:00

Hi @Adam Marshall , after you add a private certificate to an app, the certificate is stored in a deployment unit that's bound to the App Service plan's resource group, region, and operating system combination, internally called a webspace. That way, the certificate is accessible to other apps in the same resource group, region, and OS combination. Private certificates uploaded or imported to App Service are shared with App Services in the same deployment unit. Reference: Private certificate requirements.

Do your web apps use the same resource group, region, and OS combination with the web app that imported the certificate from Key Vault?
AdamMarshall-3683 0 Reputation points

2025-04-27T23:18:50.4566667+00:00

@Silvia Wibowo Yes, of course, as I mentioned, it is in the same App Service plan as another web app that has already imported the certificate, so trying to Import it again results in an error:

I have to say, not have a Microsoft support engineer being able to directly look into my Azure subscription and help via an Azure Support Ticket is extremely difficult and makes it so much more difficult to explain the issue going on.
Silvia Wibowo 5,871 Reputation points Microsoft Employee Moderator

2025-04-27T23:56:24.6666667+00:00
Hi @Adam Marshall , after the certificate renews in your key vault, App Service automatically syncs the new certificate and updates any applicable certificate binding within 24 hours.

I understand that this does not happen for your other web apps. Could you please check whether you can sync manually, with these steps:

Go to your app's Certificate page.

Under Bring your own certificates (.pfx), select the ... button for the imported key vault certificate, and then select Sync.
Adam Marshall 20 Reputation points

2025-04-28T00:13:33.36+00:00

@Silvia Wibowo That is the problem, webapp2 does not allow it to link to a key vault certificate. There isn't any Sync option available for that app.

Webapp 1 (originally imported the key vault cert to the App Service Plan):

Web app 2, in the same App Service Plan, so cannot import:

It only has the reference to the Thumbprint certificate directly, as opposed to the "magic keyvault link" that doesn't appear to be specified in the ARM template at all.

Is there a powershell command that I can use to set the domain custom binding to reference the "key vault link" or something, instead of directly referencing the thumbprint id?

I suspect this issue is easily reproducible:

Create two web apps in the same App Service plan; import a Key vault certificate to web app 1 and then try to reference the same keyvault certificate in web app 2.

Ensure the Sync button available in web app 2.
Silvia Wibowo 5,871 Reputation points Microsoft Employee Moderator

2025-04-28T00:19:12.49+00:00

Hi @Adam Marshall , I saw from your screenshot that web app 2 already has the new certificate (expiration date 27/04/2026). Did you manually add that certificate or was it automatically added after certificate renewal?
Adam Marshall 20 Reputation points

2025-04-28T00:34:24.1833333+00:00

@Silvia Wibowo The certificate is already added to the App Service Plan, as a result of importing the certificate into Web App 1.

The screen shot you can see does not list certificates on a "per web app" basis, but on an "App Service Plan" basis.

The expired one is still in the App Service Plan, web app 2 has not been manually bound to the updated certificate auto imported from web app 1 sync.

FYI I have 5+ apps using referencing this wildcard certificate, some I have had to manually bind the custom domain to the new certificate thumbprint as it created production downtime, but I still have one web app referencing the expired certificate.

The only app that has the "Sync" button is Web app 1, all the others do not have it, and appear to be "manually bound" to the certificate thumbprint, as opposed to being Key Vault linked.

Accepted answer

0 additional answers

Your answer

Silvia Wibowo 5,871 Reputation points Microsoft Employee Moderator

2025-04-27T22:52:48.09+00:00

Hi @Adam Marshall , after you add a private certificate to an app, the certificate is stored in a deployment unit that's bound to the App Service plan's resource group, region, and operating system combination, internally called a webspace. That way, the certificate is accessible to other apps in the same resource group, region, and OS combination. Private certificates uploaded or imported to App Service are shared with App Services in the same deployment unit. Reference: Private certificate requirements.

Do your web apps use the same resource group, region, and OS combination with the web app that imported the certificate from Key Vault?
AdamMarshall-3683 0 Reputation points

2025-04-27T23:18:50.4566667+00:00

@Silvia Wibowo Yes, of course, as I mentioned, it is in the same App Service plan as another web app that has already imported the certificate, so trying to Import it again results in an error:

I have to say, not have a Microsoft support engineer being able to directly look into my Azure subscription and help via an Azure Support Ticket is extremely difficult and makes it so much more difficult to explain the issue going on.
Silvia Wibowo 5,871 Reputation points Microsoft Employee Moderator

2025-04-27T23:56:24.6666667+00:00

Hi @Adam Marshall , after the certificate renews in your key vault, App Service automatically syncs the new certificate and updates any applicable certificate binding within 24 hours.

I understand that this does not happen for your other web apps. Could you please check whether you can sync manually, with these steps:

Go to your app's Certificate page.

Under Bring your own certificates (.pfx), select the ... button for the imported key vault certificate, and then select Sync.
Adam Marshall 20 Reputation points

2025-04-28T00:13:33.36+00:00

@Silvia Wibowo That is the problem, webapp2 does not allow it to link to a key vault certificate. There isn't any Sync option available for that app.

Webapp 1 (originally imported the key vault cert to the App Service Plan):

Web app 2, in the same App Service Plan, so cannot import:

It only has the reference to the Thumbprint certificate directly, as opposed to the "magic keyvault link" that doesn't appear to be specified in the ARM template at all.

Is there a powershell command that I can use to set the domain custom binding to reference the "key vault link" or something, instead of directly referencing the thumbprint id?

I suspect this issue is easily reproducible:

Create two web apps in the same App Service plan; import a Key vault certificate to web app 1 and then try to reference the same keyvault certificate in web app 2.

Ensure the Sync button available in web app 2.
Silvia Wibowo 5,871 Reputation points Microsoft Employee Moderator

2025-04-28T00:19:12.49+00:00

Hi @Adam Marshall , I saw from your screenshot that web app 2 already has the new certificate (expiration date 27/04/2026). Did you manually add that certificate or was it automatically added after certificate renewal?
Adam Marshall 20 Reputation points

2025-04-28T00:34:24.1833333+00:00

@Silvia Wibowo The certificate is already added to the App Service Plan, as a result of importing the certificate into Web App 1.

The screen shot you can see does not list certificates on a "per web app" basis, but on an "App Service Plan" basis.

The expired one is still in the App Service Plan, web app 2 has not been manually bound to the updated certificate auto imported from web app 1 sync.

FYI I have 5+ apps using referencing this wildcard certificate, some I have had to manually bind the custom domain to the new certificate thumbprint as it created production downtime, but I still have one web app referencing the expired certificate.

The only app that has the "Sync" button is Web app 1, all the others do not have it, and appear to be "manually bound" to the certificate thumbprint, as opposed to being Key Vault linked.

Answer 1

Hi @Adam Marshall , I've simulated your situation:

Created a Basic App Service Plan.
Created two App Services into the same App Service Plan: mywebapp-598764321 and mywebapp-698754321.
Created a certificate in Azure Key Vault.
Assign RBAC in Azure Key Vault: Authorize App Service to read from the vault.
From mywebapp-598764321, added certificate from Azure Key Vault.
Didn't do anything from mywebapp-698754321, I could see the certificate from Key Vault already listed under Certificate - Bring Your Own Certificate.

What I observed:

Certificate is listed under each of the web app. Both web apps have exactly the same view of the certificate. The second web app (mywebapp-698754321) also has "Sync" button on the certificate detail.
I tried creating a new version of the certificate and disable the old version. The web apps (mywebapp-598764321) did not pick up the new version automatically. I could click "Sync" from one web app (mywebapp-598764321 or mywebapp-698754321) and the other web app will pick up the new version of the certificate.
App Service Plan does not have any setting on Certificate. You need to select the App Service to set the certificate.

Is it possible for you to remove the certificate and add it again from one of the web apps? The other web apps using the same App Service Plan should pick it up automatically.

Mentioning below steps by Adam Marshall followed by Silvia Wibowo response that worked

I have migrated all of my production apps to use the Managed App Certificate, removed the wildcard cert from any staging slots and then deleted the previously imported Key vault cert.

I then imported the key vault certificate again, and made the staging slots reference the newly imported Key Vault certificate.

All the staging slots can see the key vault cert name and have the sync button.

What a strange issue, the original Key vault certificate was imported over 3 years ago, so maybe there was an issue at that point that didn't make the reference properly.

Adam Marshall 20 Reputation points

2025-04-28T22:39:28.3033333+00:00

@Silvia Wibowo I have migrated all of my production apps to use the Managed App Certificate, removed the wildcard cert from any staging slots and then deleted the previously imported Key vault cert.

I then imported the key vault certificate again, and made the staging slots reference the newly imported Key Vault certificate.

All the staging slots can see the key vault cert name and have the sync button.

What a strange issue, the original Key vault certificate was imported over 3 years ago, so maybe there was an issue at that point that didn't make the reference properly.

Thanks. This issue can be marked as Resolved.
Siva Nair 1,650 Reputation points Microsoft External Staff Moderator

2025-04-29T04:50:04+00:00

Hi Adam Marshall,

Thanks for confirming and glad that you got your issue resolved, please click Accept Answer and kindly upvote it for the last answer from Silvia Wibowo as you cannot accept your own answer, In addition to that am adding your helpful input as well which will collectively help other people who faces similar issue may get benefitted from it.Thanks!

Share via

Azure Web App and Key Vault Certificate

0 additional answers

Your answer