Share via

Application Gateway - Unable to use certificate from Vault

Paul Green 20 Reputation points
2025-03-26T14:38:10.86+00:00

Hello,

I'm really stuck trying to get my App Gateway to use a certificate from Vault. When I import (upload) the pfx file directly into the GW its fine, but the exact same file uploaded to Vault never works. On the 'Listener TLS certificates' it is listed, but the Status and Common Name fields are just a dash, and when I click the details menu all the important fields are empty - only the '/secret/' vault path and the managed identity values are set. There's no warning or error message at all. The same columns show the correct Status and Common Name for the uploaded/imported cert.

My vault was set up to use RBAC and a managed identity assigned the Key Vault Secrets User role, and the Gateway was set to use the identity. According to the MS docs (https://learn.microsoft.com/en-gb/azure/application-gateway/key-vault-certs) the GW should work in this way - with the caveat that to set up the link to the certificate you have to use cli/ps/bicep - which I did (the cert is listed).

The vault was on a private link but I also tried 'public' with no restrictions, so I don't think its networking.

I also extracted the cert details from the vault to get the full details, and compared this with the working (GW-imported) cert using open_ssl to download it from the public domain - they are identical. i.e. the vault cert and the working (imported) one from the GW domain are the same. Once I switch the GW to the use the Vault cert I just get back 'curl: (35) error:0A000458:SSL routines::tlsv1 unrecognized name' (when using curl).

I also switched off RBAC and used Vault Access Policy and granted all the permissions to the GW managed identity but this also did not work.

It feels like a permissions issue but I've tried RBAC and Access Policy modes and it just never works. There's no errors or warnings I can see.

I can continue with the uploaded certificate and not use vault, but I lose the auto-renew feature.

If anyone has any insights or tips into what could be wrong I'd very much appreciate it as this has taken up days already !

Many thanks

Paul Green

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,411 questions
Accepted answer
  1. Akhilesh Vallamkonda 13,700 Reputation points Microsoft External Staff
    2025-04-03T12:12:42.8233333+00:00

    Hi @Paul Green

    I understand that you are experiencing issues with their Application Gateway when trying to use a certificate from Azure Key Vault. when they import the .pfx file directly into the Gateway, it works fine. However, when they upload the same file to the Vault, it doesn't work and there are no error message found.
    After checking with internal networking team, this is an expected behavior because once the Application Gateway is configured to use Key Vault certificates, it retrieves the certificate from Key Vault and installs it locally for TLS termination. The instances poll Key Vault every four hours to check for a renewed version of the certificate. If an updated certificate is found, the TLS/SSL certificate associated with the HTTPS listener is automatically rotated. This ensures that the Application Gateway always uses the most up-to-date certificate for secure communication.

    I understand Immediate polling after a change to the gateway would provide a more transparent and reassuring experience for users, rather than waiting for up to four hours. It can be difficult to wait for the next polling interval to confirm that the changes have been applied successfully. Since this is a product limitation, I suggest you to shar your feedback on this in our feedback forum which is closely monitored by our Product team.

    Reference document TLS termination with Key Vault Supported certificates

    Hope this helps. Do let us know if you any further queries by responding in the comments section.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.