Share via

Using Key Vault for a backend root cert in Application Gateway

Eric Hodges 46 Reputation points
2022-02-22T21:47:40.78+00:00

I am setting up an Application Gateway that uses TLS on the backend to talk to members of a VM Scale Set. I have this all in a bicep template and it works - I pass the root certificate into the template as a parameter. However, I would rather keep the certificate in a Key Vault instead of passing it in like this. I notice that in the App Gateway declaration, the trustedRootCertificates object will take a Properties parameter named "keyVaultSecretId". This implies to me that it should work to retrieve the trusted root certificate from Key Vault.

However, it does not seem that I can import a certificate without a private key into KV. (Indeed, the FAQ says you cannot.) So how do I make use of the keyVaultSecretId? Do I create a Secret in the KV rather than a Certificate, with the base64 public key as the Value?

Thanks,
Eric

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,011 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Eric Hodges 46 Reputation points
    2022-02-23T13:58:26.81+00:00

    I was able to get this working. In order to use a keyvault for the backend root certificate:

    1. Put the public key in a keyvault as the value of a Secret (not a Certificate). No header, footer, or line breaks.
    2. In your App Gateway template, insert a trustedRootCertificates block, and in Properties, use the keyVaultSecretId key. Its value will be the full path to the secret (https://<keyvaulturl>/secrets/<secretname>)
    3. Reference the above in the backendHTTPSettingsCollection portion of the App Gateway.