Share via

AppGateway V2 Certificate issue

Az_tech 21 Reputation points
2020-07-23T07:44:28.317+00:00

Hello,

I've deployed an application gateway in my subscription, all is working fine and I've several services published to internet and linked with the backend. Right now I've a problem, I've a listener over https and the communication with the backend also have to be made over https, then I have to include a certificate inside "http settings" I was trying to add the same certificate that I had uploaded to the listener but checking documentation, it seems that I have to upload the root certificate and I've followed this guide:

https://learn.microsoft.com/en-us/azure/application-gateway/certificates-for-backend-authentication

But when I try to save the configuration, I get an error message similar to: This certificate is not a trusted root certificate............ What Is the problem? Have I to add this certificate to some trusted certificate store in Azure?

Thank you very much.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
970 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
    2020-07-23T13:41:36.78+00:00

    Hello @Aztech-2268 ,

    To fix this, bundle the PFX to include the leaf, intermediate, and root cert (in that order) and put on the backend target.

    From:
    https://learn.microsoft.com/en-us/azure/application-gateway/certificates-for-backend-authentication#export-trusted-root-certificate-for-v2-sku
    https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#trusted-root-certificate-mismatch

    For Application gateway V2, a trusted root certificate is required to allow backend instances. The root certificate is a Base-64 encoded X.509(.CER) format root certificate from the backend server certificates. You can export the public key from the TLS/SSL certificate for the backend certificate and then export the root certificate of the trusted CA from the public key in base64 encoded format to get the trusted root certificate. The intermediate certificate(s) should be bundled with server certificate and installed on the backend server.

    If the back-end certificate is issued by a well-known certificate authority (CA), you can select the Use Well Known CA Certificate check box, and then you don't have to upload a certificate.

    Not having the intermediate bundled in the PFX, can stop the "well known CA" from working correctly.

    Try checking the intermediate certs on the backend cert. Here is an online tool for checking SSL certificates.
    Incorrectly Bundled Cert would show something like the one below:
    13388-incorrectly-bundled-cert.jpg

    A Properly Bundled Cert would show something like the one below:
    13419-correctly-bundled-cert.jpg

    The order should be leaf, intermediate, root.
    The rebundled PFX can be put on the appgw listener (renew/replace the one that is there) and then put on the backend as well.

    How to rebundle the PFX manually to ensure it's in the right order:

    First create a private.key like so from the PFX
    openssl pkcs12 -in Certificate.pfx -nocerts -out private.key

    Then create a CER Bundle of the entire chain ensuring that they are bundled in the correct order:
    Creating a .pem with the Private Key and Entire Trust Chain
    https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

    Then recreate the PFX from the bundled CER and private key from step 1
    Create a PFX from the PEM like so:
    https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manish Jha 236 Reputation points
    2020-07-23T10:57:52.407+00:00

    Are you trying to do an end to end SSL or would you prefer to do the SSL termination at the Application gateway ?

    Are you trying to update the HTTP setting on the app Gateway and set it as HTTPS as shown in the attached image, if yes then could you please check and confirm if you are adding the correct root cert CA

    For a TLS/SSL certificate to be trusted, that certificate of the backend server must be issued by a CA that's included in the trusted store of Application Gateway. If the certificate wasn't issued by a trusted CA (for example, if a self-signed certificate was used), users should upload the issuer's certificate to Application Gateway.13418-4.png

    0 comments
  2. Az_tech 21 Reputation points
    2020-07-28T06:41:01.157+00:00

    Thank you very much to both, I've just solved my issue.