Import certificates from Azure Key Vault to Azure Container Apps

You can use Azure Key Vault to centrally manage Transport Layer Security (TLS) and Secure Sockets Layer (SSL) certificates for your container app. Key Vault can handle certificate updates, renewals, and monitoring.

This article shows you how to import a Key Vault certificate into an Azure Container Apps environment.

Prerequisites

• A Key Vault resource
• A certificate stored in your key vault

For steps to create a key vault and add a certificate, see Import a certificate in Azure Key Vault or Configure certificate autorotation in Key Vault.

Exceptions

Container Apps supports most certificate types. But there are a few exceptions to keep in mind:

• Elliptic Curve Digital Signature Algorithm (ECDSA) p384 and p521 certificates aren't supported.
• If you want to use an Azure App Service certificate, you need to use the Azure CLI to import it from Key Vault into Container Apps. This article shows you how to use the Azure portal to import a certificate. But you can't use the Azure portal to import App Service certificates, due to how these certificates are saved in Key Vault.

Enable managed identity for your Container Apps environment

Container Apps uses an environment-level managed identity to access your key vault and import your certificate. You can use a system-assigned identity or a user-assigned identity for this purpose. To use a system-assigned managed identity, follow these steps:

1. Go to the Azure portal, and then go to the Container Apps environment that you want to import a certificate into.

2. Select Settings > Identity.

3. On the System assigned tab, turn on the Status switch.

4. Select Save. When the Enable system assigned managed identity window appears, select Yes.

5. Under Permissions, select Azure role assignments to open the role assignments window.

6. Select Add role assignment, and then select the following values:

   Property	Value
   Scope	Key Vault
   Subscription	Your Azure subscription
   Resource	Your key vault
   Role	Key Vault Secrets User

7. Select Save.

Key Vault offers two authorization systems: Azure role-based access control (Azure RBAC) and a legacy access policy model. For detailed information about the two systems, see Azure role-based access control (Azure RBAC) vs. access policies (legacy).

Import a certificate from Key Vault

To import a certificate from Key Vault into your container app environment, take the steps in the following sections.

Initiate the process

1. In the Azure portal, go to your container app environment.

2. Select Settings > Certificates.

3. Go to the Bring your own certificates (.pfx) tab.

4. Select Add certificate.

Add the certificate

1. In the Add certificate dialog, next to Source, select Import from Key Vault.

2. Select Select key vault certificate, and then select the following values:

   Property	Value
   Subscription	Your Azure subscription
   Key vault	Your key vault
   Certificate	Your certificate

   Note

   If an error message appears that says, "The operation 'List' is not enabled in this key vault's access policy," you need to configure an access policy in your key vault to allow your user account to list certificates. For more information, see Assign a Key Vault access policy (legacy).

3. Select Select.

4. In the Add certificate dialog, next to Managed identity, select System assigned. If you're using a user-assigned managed identity, select your user-assigned managed identity instead.

5. Select Add.

Configure a custom domain

After you configure your certificate, you can use it to help secure your custom domain. Follow the steps in Add a custom domain and certificate, and select the certificate you imported from Key Vault.

Rotate certificates

When you rotate your certificate in Key Vault, Container Apps automatically updates the certificate in your environment. It takes up to 12 hours for the new certificate to be applied.

Next step