Renewing certificate on the firewall and server

glittle · July 3, 2019, 9:44pm

I have a VM running IIS in Azure. I used “Certify the web” to get the certificates I needed for a few websites running on the VM. That worked great.

Now, I’m putting an Azure Application Gateway in front of the VM. To establish end-to-end SSL, I exported the certificates on the VM and add them in the Azure Application Gateway listeners. That seems to be working well.

However, in a month, the certificate will need to renew.

Will the renewal work from behind this gateway/firewall?

If it does, then the new certificate will be updated on the VM but the gateway will still have the old one. I can manually export the certificate each month and update the one on the gateway, but that is too manual.

Any suggestions on how to manage this environment?

It looks like using an Azure Key Vault may work, and then use powershell to update it? Has anyone done this?

augustocsb · July 14, 2021, 2:07pm

Hi ! I’m having the exact same situation, have you automated the process?

Appreciate if you can share the solution.

Thank you!

glittle · July 14, 2021, 3:59pm

Unfortunately, we’ve not automated it, so someone has to manually copy the certificate back up into Azure on a regular basis.

augustocsb · July 14, 2021, 4:56pm

Sorry to hear that, looks like I’m going to do that manually too, thank you!

webprofusion · July 15, 2021, 9:28am

We do have an azure key vault deployment task but you’d still need something to tell the other part of your service to pick up the latest cert from the key vault.

webprofusion · July 15, 2021, 9:29am

Generally there is a way to script this stuff using PowerShell, only adopt a manual process if there is literally no other choice.