Share via

Certificate auto-generation with TLS inspection in Azure Firewall Premium is not working

KN 45 Reputation points
2025-05-01T00:29:18.0833333+00:00

Hello,

I have enabled TLS inspection in Azure Firewall Premium.

I tried to automatically generate the TLS certificate required for TLS inspection from the Azure portal using the following as a reference:

https://learn.microsoft.com/en-us/azure/firewall/premium-certificates#certificate-auto-generation

As a result, Managed Identity and Key Vault were created without any problems, but the certificate was not displayed in Key Vault.

The access policy of Key Vault has the appropriate permissions, and the execution is performed by a user who has been granted owner permissions to the subscription, so the permissions required for execution seem to be fine.

Could you please help me investigate this?

Thanks

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
751 questions
0 comments
Accepted answer
  1. Suwarna S Kale 2,671 Reputation points
    2025-05-01T03:11:45.41+00:00

    Hello KN,

    Thank you for posting your question in the Microsoft Q&A forum. 

    When enabling TLS inspection in Azure Firewall Premium, the certificate auto-generation process should create both a managed identity and Key Vault resource, but the absence of the certificate in Key Vault suggests a deployment hiccup. First, verify the Azure Firewall’s managed identity has Key Vault Certificate Contributor and Secrets Officer roles, as portal-based permissions may not propagate correctly. 

    Check Activity Logs in both the Firewall and Key Vault resources for errors during certificate creation. Common issues include regional mismatches (ensure Key Vault and Firewall reside in the same region) or DNS resolution failures. If logs show success but the certificate remains missing, manually trigger a Firewall policy sync or recreate the TLS inspection configuration. 

    As a fallback, manually upload a CA certificate to Key Vault and link it to the Firewall policy. Ensure the certificate meets Azure’s requirements (root CA, RSA 2048+, and proper key usage flags). If problems persist, engage Microsoft Support with correlation IDs from the activity logs for deeper diagnostics. 

     

    If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated. 

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KN 45 Reputation points
    2025-05-01T06:04:52.8266667+00:00

    Hello Suwarna S Kale,

    Thank you for your answer.

    I have checked the following, but it has not been resolved, so please continue.

    No roles were assigned to the automatically created managed identity.

    User's image

    If I'm checking something different, please tell me the correct place.

    No errors were recorded in Activity Logs.

    I can import the certificate with OpenSSL and link it to the firewall policy, but I want to try the automatic certificate generation process.

    I recreated the TLS inspection configuration but it didn't work.

    Is there anything else I should check?

    Thanks

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.