Using Key Vault for a backend root cert in Application Gateway

Eric Hodges 46 Reputation points
2022-02-22T21:47:40.78+00:00

I am setting up an Application Gateway that uses TLS on the backend to talk to members of a VM Scale Set. I have this all in a bicep template and it works - I pass the root certificate into the template as a parameter. However, I would rather keep the certificate in a Key Vault instead of passing it in like this. I notice that in the App Gateway declaration, the trustedRootCertificates object will take a Properties parameter named "keyVaultSecretId". This implies to me that it should work to retrieve the trusted root certificate from Key Vault.

However, it does not seem that I can import a certificate without a private key into KV. (Indeed, the FAQ says you cannot.) So how do I make use of the keyVaultSecretId? Do I create a Secret in the KV rather than a Certificate, with the base64 public key as the Value?

Thanks,
Eric

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,071 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Eric Hodges 46 Reputation points
    2022-02-23T13:58:26.81+00:00

    I was able to get this working. In order to use a keyvault for the backend root certificate:

    1. Put the public key in a keyvault as the value of a Secret (not a Certificate). No header, footer, or line breaks.
    2. In your App Gateway template, insert a trustedRootCertificates block, and in Properties, use the keyVaultSecretId key. Its value will be the full path to the secret (https://<keyvaulturl>/secrets/<secretname>)
    3. Reference the above in the backendHTTPSettingsCollection portion of the App Gateway.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.