Central Certificate for Azure Application Gateway
Did you know that you can use a central certificate for your Azure Application Gateway? You don’t need a Key Vault in every subscription—you can use a central Key Vault in a central subscription and access the certificates from there.
Of course, there’s one small problem: you CANNOT set it up in the Azure Portal. You have to use Azure CLI, PowerShell, Bicep, ARM or Terraform instead.
So, I’ve gathered all the necessary PowerShell commands to help you set it up.
Prerequisites
- You need to have a central Key Vault in a central subscription.
- You need to have a certificate in the central Key Vault.
- You need to have the necessary permissions to assign permissions to the User Assigned Managed Identity.
Certificate
First, you need to retrieve the certificate from the central Key Vault. Of course, you should use a trusted certificate, but for the sake of this example, I will use a self-signed certificate and generate it with Key Vault.
It’s important to set it up correctly, if the certificate is not configured properly, you will encounter an error when trying to use it with the Application Gateway.
Script
Of course, the source of the script is Microsoft Documentation, but I’ve tweaked it a bit, so you don’t have to. :)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$keyVaultSubscriptionId = "00000000-0000-0000-0000-000000000000" # Key Vault Subscription ID
$appGWSubscriptionId = "11111111-1111-1111-1111-111111111111" # Application Gateway Subscription ID
$appGWResourceGroup = "resourceGroup1" # Application Gateway Resource Group
$appGWName = "applicationGateway1" # Application Gateway Name
$keyVaultName = "keyVault1" # Key Vault Name
$keyVaultCertName = "certificate1" # Key Vault Cert Name
$appGWIdentityName = "identity1" # User Assigned Managed Identity Name
$appGWIdentityResourceGroup = "resourceGroup1" # User Assigned Managed Identity Resource Group
$appGWIdentityLocation = "location1" # User Assigned Managed Identity Location
# Set the subscription context to the Application Gateway subscription
Select-AzSubscription -SubscriptionId $appGWSubscriptionId
# Create a new user assigned managed identity
$UserManagedIdentity = New-AzUserAssignedIdentity -ResourceGroupName $appGWIdentityResourceGroup -Name $appGWIdentityName -Location $appGWIdentityLocation
# Get the Application Gateway we want to modify
$appGW = Get-AzApplicationGateway -Name $appGWName -ResourceGroupName $appGWResourceGroup
# Specify the resource id to the user assigned managed identity - This can be found by going to the properties of the managed identity
Set-AzApplicationGatewayIdentity -ApplicationGateway $appGW -UserAssignedIdentityId $UserManagedIdentity.id
# Set the subscription context to the Key Vault subscription
Select-AzSubscription -SubscriptionId $keyVaultSubscriptionId
# Get the secret ID from Key Vault
$cert = Get-AzKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultCertName
$certId = $cert.Id.Replace($cert.Version, "") # Remove the secret version so Application Gateway uses the latest version in future syncs
# Assign RBAC permissions to the user assigned managed identity to keyvault to read the certificate
New-AzRoleAssignment -ObjectId $UserManagedIdentity.PrincipalId -RoleDefinitionName "Key Vault Certificate User" -Scope (Get-AzKeyVault -VaultName "test-hcikvkjnbkjn").ResourceId
# Set the subscription context back to the Application Gateway subscription
Select-AzSubscription -SubscriptionId $appGWSubscriptionId
# Specify the secret ID from Key Vault
Add-AzApplicationGatewaySslCertificate -KeyVaultSecretId $certId -ApplicationGateway $appGW -Name $cert.Name
# Commit the changes to the Application Gateway
Set-AzApplicationGateway -ApplicationGateway $appGW
Conclusion
You can use a central certificate for your Azure Application Gateway. More secure, more manageable, and more scalable. Enjoy!