How to update TLS/SSL Certificate with no downtime?

Gregorio Montaño 251 Reputation points
2022-03-23T04:06:16.643+00:00

Hi,

Using this link as a related reference:
https://learn.microsoft.com/en-us/azure/application-gateway/renew-certificates

Current system (that is already working):

  1. Application gateway with (expiring) certificate uploaded
  2. Backend (Web server) TLS/SSL certificate with expiring certificate

Future system:

  1. Application gateway to renew expiring certificate and use the Key Vault to store the renewed certificate
  2. Backend (Web server) TLS/SSL certificate renewed

From above, there are two changes that need to happen. Update of the certificate at the application gateway and the other on the web server side. Is there an order on which change goes first? What are the steps I need to do to update the TLS/SSL certificate without introducing any downtime?

Thanks for your help.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,215 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator
    2022-03-28T12:50:00.183+00:00

    Hello @Gregorio Montaño ,

    Thank you for the update.

    I understand that you would like to integrate your Application gateway with Keyvault for certificate management and would like to know how to implement the same without any downtime.

    I discussed this requirement with the backend team and below is the update from their end:

    If you rotate certificates in KeyVault, Application gateway will automatically pick up the change after 4 hours: TLS termination with Azure Key Vault certificates | Microsoft Learn

    If you need centralized certificate management for your backend services, Key Vault would be the way to go as well. However, management of your backend services needs to be done by you manually, there is nothing Application Gateway does to manage certificate management for the backend service.
    Refer : https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal#import-a-certificate-from-key-vault

    Application Gateway Frontend -> Server Backend traffic is independent configuration from Client -> Application Gateway Frontend; thus either order in changing the certificate is fine as long as proper configuration is maintained for both scenarios.

    However, as I mentioned before, there could be some impact while making the configuration changes with Keyvault or mis-configuration.
    Refer : https://learn.microsoft.com/en-us/azure/application-gateway/key-vault-certs#investigating-and-resolving-key-vault-errors

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Ussama Shaukat 1 Reputation point
    2022-03-24T22:19:32.797+00:00
    1. Create the CSR.
    2. Submit it to DigiCert.
    3. Receive certificate file.
    4. Install your certificate to the server/website from which the CSR was generated.
    5. On the original website, replace the current certificate with the new certificate.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.