According to this post about Included CA Certificate List (search for "EC8A396C40F02EBC4275D49FAB1C1A5B67BED29A"), I should be able to use a certificate from Sectigo which is an ECC SSL using secp384p1 and SHA384 to import into Azure-CDN Key Vault. I can get a PFX key added to the vault but we try to have Azure-CDN use it, it says "Failed to update custom domain properties" "The private key is not RSA or it is unreadable. Only RSA private key is supported for BYOC to secure a custom domain."
I checked with Sectigo and the pointed me to this page Generate PFX file or P12 with OpenSSL which simply confirmed that the commands I was already using was correct.
This is the command that I used to generate the Private Key and the CSR that was sent to Sectigo to generate a certificate:
openssl ecparam -name secp384r1 -genkey -noout -out ecc.mydomain.private.key && openssl req -new -out ecc.mydomain.csr -key ecc.mydomain.private.key -sha384 -subj "/C=XX/ST=XXXX/L=XXXXX/O=XXXXXXXX/CN=*.mydomain.com"
Once I download the IIS archive from Sectigo, I extract it and run this command to generate the PFX which includes the private key, certificate, intermediate certificate and passphrase:
openssl pkcs12 -export -out azure.pfx -inkey ecc.mydomain.private.key -in STAR_mydomain_com.crt -certfile My_CA_Bundle.ca-bundle
The whole reason for switching from an RSA SSL in the first place is that RSA SSL no longer passes PCI Compliance tests and the Azure-managed SSL certificates fail compliance tests. I even tried an RSA SSL certificate from GoDaddy and it had the same problem. For reference, here is the exact wording: "The remote SSL/TLS server is supporting Diffie-Hellman ephemeral (DHE) Key Exchange algorithms and thus could be prone to a denial of service (DoS) vulnerability."
Any idea why Azure CDN is not viewing this PFX file as valid?