Use App Service Certificate with Azure Application Gateway - azure

Created an app service certificate in Azure to enable SSL for Application Gateway.
Had already configured SSL on the Application Gateway with a self-signed .pfx certificate to test the functionality but wanted to go with a more robust, auto-renewed and Microsoft managed solution.
However, it seems that an "App Service Certificate" is not the same as a generic certificate and doesn't show up on the listener options config page on the Application Gateway when trying to add the cert from key vault to the app gateway.
Is there any way to re-use this certificate with the Application Gateway?

I came across this today and found out that it is the 'Azure Portal' that is incapable of adding a certificate stored as key vault secret. If you use Terraform/REST API/Az CLI etc, you can add a key vault secret to Application Gateway.
This is already documented by MS.
The Azure portal supports only Key Vault certificates, not secrets. Application Gateway still supports referencing secrets from Key Vault, but only through non-portal resources like PowerShell, the Azure CLI, APIs, and Azure Resource Manager templates (ARM templates).
Again, there is a partially correct warning which is only true for 'Azure Portal'
Azure Application Gateway currently supports only Key Vault accounts in the same subscription as the Application Gateway resource. Choosing a key vault under a different subscription than your Application Gateway will result in a failure.
A simple but manual solution is to download the certificate from key vault secret via Azure Portal and upload it as a key vault certificate. You will need to do this again when the certificate is renewed.

Related

Can i use Azure Managed Identity in a Console application deployed in On-Premises Server?

I have a console application that is going to be deployed on an On-Premises Server (Not an Azure-hosted one). Can I make use of Managed Identities to retrieve a secret from my azure key vault? Is it possible... please guide me here.
No, you cannot use Managed Identity (both system assigned and user assigned) outside of Azure. They can only be used with resources running in Azure.
What you would need to do is connect to your Key Vault using a Service Principal (using client id and client secret or certificate) and retrieve secrets that way.

How to create Azure service fabric cluster without security certificate for testing use?

For testing purpose, we need to spin up Azure service fabric cluster without any security certificates.
We have already created new Azure SF cluster with self-signed certificate successfully but octopus cant connect to new Azure SF cluster for package deployment due to some certificate related issues. So without certificate need to spin up new Azure service fabric cluster.
How to create Azure service fabric cluster without security certificates?
here https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-creation-via-arm
options are available to create Azure SF cluster only with security certificates.
You cannot do that in Azure, but you can create an unsecured stand-alone cluster. What you can do, is use self-signed certificates to deploy the cluster, and add Azure AD for client access to the management API's.
FabricClient and FabricGateway perform a mutual authentication. During
Azure AD authentication, Azure AD integration provides a client
identity to the server, and the server certificate is used by the
client to verify the server's identity. For more information about
Service Fabric certificates, see X.509 certificates and Service
Fabric.
This way, you can use a Service Principal to authenticate.

Cannot connect to external https from Azure SF due to untrusted certificate

I have an application, deployed in Azure Service Fabric.
The application connects to external web service which has an untrusted SSL certificate and fails.
I solved problem by implementing custom cert validation logic in "ServerCertificateCustomValidationCallback" method of HttpClient, however this is not an ideal solution.
How to install external SSL certificate into the trusted store on VMs in VMSS, so that any app in ASF can consume external web services without additional efforts?
Additional notes
Certificate contains no private key, so it cannot be imported into Azure key vault and used in ARM template (or I didn't find a way how to achieve this)
Certificate cannot be installed manually via RD, because this doesn't support autoscaling
It is possible to import .pfx certificate without password into Azure Key Valut. Certificate should be imported into Secrets (not into Certificates). Azure portal says, that this feature is deprecated but it works.
When certificate is in key valut, then ARM template can be used to deploy it onto VMs.
To get pfx certificates, I downloaded root and intermediate certificates in browser. Then converted .cer to .pfx via small .net console, written by myself - check X509Certificate class, it has all necessary methods.

Azure: export azure app service certificate locally

Referring to the question asked here, Azure: manually add app service certificate to key vault
Also quoting to answer given,
" App Service Certificate stores the private certificate into a user-provided Key Vault secret. When App Service Certificate is deployed into a web app, a Web Apps resource provider deploys it from the Key Vault secret that's associated with App Service Certificate.
So, when you add app service certificate to azure keyvault, you could not see anything in Certificate option. "
As I cannot see certificates in the key vault but the certificate is stored in user provided secret, but how to export it then?

Azure: Where should a management certificate reside for use by a Cloud Service

I have a worker role that is used to provision databases. In order to do this it has to hit the Azure Management API and to do this it requires a certificate.
You can store certificates in the portal against the subscription (Settings tab) or against individual cloud services. Where should the certificate be stored?
Worker role that needs to talk to Management API needs to have the .PFX certificate uploaded into it as if it is an SSL cert (against individual service).
Matching public cert (.cer) needs to be uploaded to the Management Certificates area, against the subscription itself.
HTH

Resources