How to configure IIS to use a cert that is on KeyVault on Azure

Question

How to configure IIS to use a cert that is on KeyVault on Azure

Fergal Cassidy 1

I am running a VM on Azure that has IIS and two apps. The first is "Default Web Site" and is the one I am working on now. I bought a SSL cert from GoDaddy for the domain. (subdomain.site.com) and generated the cert from Azure KeyVault. I recieved the cert back and added it to the Vault successfully. I used the script below to add KeyVault to my server via the Azure CLI.

# Start the deployment
 az vm extension set --name "KeyVaultForWindows" `
 --publisher Microsoft.Azure.KeyVault `
 --resource-group "<resourcegroup>" `
 --vm-name "<vmName>" `
 --settings '{\"secretsManagementSettings\": { \"pollingIntervalInS\": \"3600\", \"certificateStoreName\": \"MY\", \"certificateStoreLocation\": \"LocalMachine\", \"observedCertificates\": [\" MY CERT LINK\", \" <observedCert2> \"] }}'

I filled in roughly what I used MY for cert store and LocalMachine for location. I then added the link to the end of the cert that was added successfully earlier.

This ran successfully with no errors. I now want to add this SSL cert to the bindings on IIS. After spending awhile trying to complete this I still have not been able to. The cert is on Vault and is valid. The vault seems to be linked with the cert in the settings and seems to be valid however there is still no cert showing up for the bindings

1 answer

Your answer

Answer 1

JamesTran-MSFT 36,911 Microsoft Employee Moderator

@Fergal Cassidy
Thank you for the detailed post!

Based off your issue, this sounds like it could be more of an IIS type issue since everything is working as expected from the Azure Key Vault side of things. When it comes to securing your web server I did find one document - Tutorial: Secure a web server on a Windows virtual machine in Azure with TLS/SSL certificates stored in Key Vault, that might help you with this issue. However, I'd also recommend waiting for our IIS team to take a look into this issue to see if they can provide any insights on this.

Feel free to share any screenshots, so our community can better troubleshoot this issue.
Thank you for your time and patience throughout this issue.

Fergal Cassidy 1 Reputation point

2021-08-18T12:27:08.923+00:00

Is there any way to refer it on to the IIS team?
Fergal Cassidy 1 Reputation point

2021-08-18T13:17:06.697+00:00

I've tried to go run through that tutorial and by the looks of things the script is in the MY store. I went into the VM via RDP after running the final script of the tutorial and it still isn't bound or showing as an option.
Fergal Cassidy 1 Reputation point

2021-08-18T13:30:16.437+00:00

GENERAL
Provisioning state Provisioning failed.
The secret retrieved from https://measuresoft-keyvault.vault.azure.net/secrets/xxx-SSLCERT/XXXXX is not a properly encoded Base64 string..
CertificateImproperlyFormatted

is the error received while trying to set the cert to the vm
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-08-18T18:19:56.323+00:00

@Fergal Cassidy
Thank you for following up on this!

Based off your error message - CertificateImproperlyFormatted, can you make sure that your certificate is correctly formatted. I also found some additional links that might help with troubleshooting this error message.

Additional Links:
Common virtual machine management errors
Logs and configuration Troubleshooting
az vm create --secrets fails with "not a properly encoded Base64 string

Additionally, if you'd like our support team to take a closer look into your environment and help troubleshoot this issue, please let me know.
Thank you for your time and patience throughout this issue.

Share via

How to configure IIS to use a cert that is on KeyVault on Azure

1 answer

Your answer