I want to retrieve/download the original pfx certificate that was uploaded onto our Application Gateway.
So far I have done the following in PowerShell:
$appGw = Get-AzApplicationGateway -Name "appgatewayname" -ResourceGroupName "appgatewayresourcegroup"
$certs = Get-AzApplicationGatewaySslCertificate -ApplicationGateway $appGw
$certBase64 = $certs[0].PublicCertData
$certBytes = [System.Convert]::FromBase64String($certBase64)
[io.file]::WriteAllBytes("C:\directory\newcert.pfx", $certBytes)
However, it doesn't seem to be a valid certificate, especially when I try to upload it onto our KeyVault.
Is anyone familiar, and is this even possible? Should I use the Data property instead of the PublicCertData?
.pfx file can't be retrieved after you uploaded it to an application gateway listener. I have checked Azure resource explorer, there is no API provided by Azure to retrieve it. And I also double-checked with the Azure product team.
Though seems we can use Get-AzApplicationGatewaySslCertificate PS command to get certs, but actually, it provides you with PublicCertData only, there is no PrivateCertData of .pfx file. I also have tested on my side, the value of Data property is empty.
So if you want to upload this .pfx file to Azure KV, I am afraid the only way is uploading the original pfx certificate to Azure KV directly.
Related
I am having trouble uploading a new SSL pfx certificate onto my WAF V2 application gateway. I currently have 3 basic wildcard listeners setup (*.contoso.com *.fabrikam.com and *.adatum.com for example) and I would like to update the certificate associated with *.contoso.com.
The problem with using the UI is that if I attempt to update and save the certificate on the listener I get an error message indicating "This Basic HTTP listener cannot use the same frontend port as an existing listener". I understand this is likely because using multiple basic listeners is still in preview and can only be setup via powershell or ARM templates. I originally setup the gateway via ARM templates.
I instead attempted to update the listener's certificate using powershell. I first uploaded the pfx cert to a key vault. I then created a user managed identity with azure role assignments for both the app gateway and the key vault. After, I ran the following powershell commands from inside the portal's CLI but got the resulting error message.
PS > Select-AzureRmSubscription -Scope CurrentUser -SubscriptionName "Pay-As-You-Go"
PS > $appgw = Get-AzApplicationGateway -ResourceGroupName "myresourcegroup" -Name "myappgateway"
PS > $secret = Get-AzKeyVaultSecret -VaultName "mykeyvault" -Name "contoso-cert"
PS > $secretId = $secret.Id
PS > set-AzApplicationGatewaySSLCertificate -Name "contoso-cert" -ApplicationGateway $appgw -KeyVaultSecretId $secretId
PS > Set-AzApplicationGateway -ApplicationGateway $appgw
Set-AzApplicationGateway: Application Gateway 'myappgateway' requires a 'UserAssigned' Identity with 'get' access policy to the referenced KeyVault. Please provide so by using top level 'Identity' property.
Why am I unable to update the certificate on the basic listener using powershell? Is there any alternative option I can try in order to set the certificate? Please help
Pretty sure I came across this same issue when looking at the Wildcard Listeners Preview in App Gateway.
I don't have a test environment configured in such a way that I can try this for you at the moment, but I believe the solution was to create a Multisite HTTPS listener (instead of basic) with an arbitrary FQDN, and using the same SSL cert as the one you want to update. Then use that listener to update the SSL cert (you could probably even update the cert at the same time as you create the listener).
Let us know how you get on!
I want to automate this process where I am uploading my certificate to my Web App.
I came across New-AzWebAppSSLBinding which enables upload but also binds the certificate to the web app.
I was trying it like so -
New-AzWebAppSSLBinding -ResourceGroupName $resourceGroupName -WebAppName $webAppName -Thumbprint "" -Name "certificatetest"
However, it gives an error because the domain is not set in the Web App.
I do not want to bind the certificate. I just want to be able to automate certificate upload through powershell. Is there an alternate way to do this?
I have already found this:
Upload Certificate to App Service from key Vault,
but it doesn't help much and I was hoping there is an ARM independent process through powershell?
According to my research, Azure PowerShell module does not provide any command used to upload SSL certificate to Azure Web APP. It just provides command used to upload SSL certicifate and bind SSL. So if you just want to upload SSL certificate to Azure Azure Web APP, I suggest you use Azure CLI. We can use CLI command az webapp config ssl upload to implement it. For more details, please refer to the document.
Besides, if you just want to implemrnt it with Azure PowerShell, please refer to the following script
Connect-AzAccount
#get app service plan which you want to associate the certificate with
$planName="stanQnA"
$planGraoup="stan"
$plan =Get-AzAppServicePlan -ResourceGroupName $planGraoup -Name $planName
#Get cert content
$pfxpassword="Password0123!"
$pfxpath="E:\Cert\example.pfx"
$pfxFileBytes = get-content $pfxpath -Encoding Byte
$pfxblob=[System.Convert]::ToBase64String($pfxFileBytes)
$properties=#{
pfxBlob =$pfxblob;
serverFarmId=$plan.Id;
password=$pfxpassword;
}
New-AzResource -Location $plan.Location -ResourceName "cert" -ResourceType "Microsoft.Web/certificates" -ResourceGroupName "jimtest"-Properties $properties -Force
I've a wildcard SSL that has expired, and I have the new cert (different authority) uploaded to Azure already..
..but I'd like to know if there's a way to bulk change all the sites using the old cert, over to the new cert. On normal IIS when you make a change for any one of your sites on the old cert, to the new cert, it asks you if you want to update other bindings that are using the old cert so that they also use the new cert. I've around 30 sites I need to move to the new cert and it's going to be quite a drag one by one
Is there an equivalent functionality on Azure? Powershell is acceptable if the portal.azure.com won't do it..
I've been using Azure CLI in Powershell for this. First build a CSV file or array with the values. It will need to contain:
- Web App Name
$Thumbprint
Then iterate through
$Thumbprint = "12bnhgikjbkj13kjbblahblah"
$WebApps = #("WebApp1","WebApp2","WebApp3") #OR
Foreach ($WebApp in $WebApps) {
az webapp config ssl bind --certificate-thumbprint $Thumbprint --ssl-type SNI --resource-group ResourceGroupName --name "$WebApp"
}
You can also do it with New-AzureRmWebAppSSLBinding from here. Also a guide here on how to do it.
I used the following code in Azure Cloud Shell to enumerate how many apps were using the old thumbprint and updated them to the new one. I found this easier than writing down each of the app service names.
You'll need to make sure you import your new certificate first.
az account set --subscription "My Application"
$webapp_ids=(az webapp list --query "[?hostNameSslStates.[thumbprint=='OLD_THUMBPRINT']].id" --output tsv)
az webapp config ssl bind --certificate-thumbprint "NEW_THUMBPRINT" --ssl-type SNI --ids $webapp_ids
I have uploaded an SSl certificate on the azure portal for my web app.
Is there a way to add key-value tag for the cert? From the documentation, I see tags only for resource-group etc but not for a particular cert.
If you are able to see the certificate in your resource group, just add tag as usual.
On my side, the certificate is hidden because it's managed by Azure. I can show it by clicking the checkbox on top of your resource group.
If after you click the certificate and there is no Tags bar on its panel, you can choose to use cloud shell to add tag. You can find the cloud shell on top right of your portal.
The first time you run it, you may need to create storage for the shell, just follow the steps azure provides. Then we can add tags. Use powershell script as an example, just two commands to achieve your goal.
$r = Get-AzureRmResource -ResourceName certificatename -ResourceGroupName resourcegroupname
Set-AzureRmResource -Tag #{ TagName="TagValue"} -ResourceId $r.ResourceId -Force
Things work on my side. Any further question, just ask.
Looking at the REST API documentation for Create or Update Certificate, looks like it is possible to assign tags to SSL Certificates. I believe this functionality is not exposed on the Portal. I looked up Azure Powershell Cmdlets as well and couldn't find anything there (it is entirely possible that I may have missed out something).
If you need to assign tags to SSL Certificate, you can always use REST API and invoke that API using either writing code or using a tool like Postman. Other thing you should look at is Azure SDK. In all likelihood, you will find some functionality there which will let you assign tags to a SSL certificate.
I have an web application on IIS. The asp.net application call external resources and need to send a certificate for authorization. I cannot use the certificate store on Azure in a Web App. How can I store a certificate in Azure and reference it when I make a external call?
In order to use certificated you first have to upload the certifcate to your webapp. You can do this to go to the setting of your webapp and goto custom domain and SSL. Here you can upload your certificate.
In order to be usable in your application Azure cannot use the certificate store but loads the certificates into memory. You can do this by adding WEBSITE_LOAD_CERTIFICATES with value * or you can do it via PowerShell via:
$appSettings = "WEBSITE_LOAD_CERTIFICATES" = "*"}
$w = Set-AzureWebsite $siteName -AppSettings $appSettings
More info can be found at https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/