Share via

Certificate addition/binding to an App service from a key vault fails

Yashas Manjunath 96 Reputation points
2025-03-25T12:49:12.6033333+00:00

I have a key vault with IAM setup. It has a lets's encrypt certificate on it.
I also have a app service with a custom domain. I want to bind this certificate from the key vault to this app service. I go to bring your own certificate and then key vault select the certificate from the drop down. But after all this I get an internal error message and the action fails. Screenshot 2025-03-25 at 13.24.33

when i click on the error link it redirects me to a new tab and this is the message that gets displayed 

{"error":{"code":"Unauthorized","message":"AKV10000: Request is missing a Bearer or PoP token."}}

I have went through the MS documentation https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Crbac%2Cazure-cli#import-a-certificate-from-key-vault and as suggested I have added the service principal Microsoft Azure App Service as a key vault certificate user on the key vault.
My own user has a key vault administrator role on the key vault.

(I am not sure if the below step is necessary)
I even have a user assigned managed identity on the app service which has the highest right key vault administrator on the key vault.

With all of this I get an error has occurred message. The only option that is a workaround for me it to manually upload the certificate from my local system and not use the key vault.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,411 questions
Accepted answer
  1. Raja Pothuraju 20,570 Reputation points Microsoft External Staff
    2025-03-27T16:00:29.38+00:00

    Hello @Yashas Manjunath,

    Thank you for connecting offline over the team's call.

    During our discussion, we observed that you were unable to add a certificate from Azure Key Vault to your App Service. Initially, you imported an elliptic curve cryptography (ECC) certificate into the Key Vault and tried to add that into your App service.

    To determine whether this issue was specific to the imported certificate or related to permissions affecting all certificates in Azure Key Vault, we conducted a test by generating a certificate directly from AKV. This certificate was successfully imported into your App Service without any issues.

    Since Azure Key Vault is a global service that follows industry standards, it's important to note that elliptic curve (EC) keys are not typically used directly for encryption operations. ECC is primarily designed for key exchange (e.g., Elliptic Curve Diffie-Hellman, ECDH) and digital signatures (e.g., Elliptic Curve Digital Signature Algorithm, ECDSA).

    As discussed, to resolve this issue, please switch the format of your certificate to a supported type, and you should be able to use it successfully in your App Service.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.