Renewing certificate on the firewall and server

I have a VM running IIS in Azure. I used “Certify the web” to get the certificates I needed for a few websites running on the VM. That worked great.

Now, I’m putting an Azure Application Gateway in front of the VM. To establish end-to-end SSL, I exported the certificates on the VM and add them in the Azure Application Gateway listeners. That seems to be working well.

However, in a month, the certificate will need to renew.

Will the renewal work from behind this gateway/firewall?

If it does, then the new certificate will be updated on the VM but the gateway will still have the old one. I can manually export the certificate each month and update the one on the gateway, but that is too manual.

Any suggestions on how to manage this environment?

It looks like using an Azure Key Vault may work, and then use powershell to update it? Has anyone done this?