The latest articles on DEV Community by Sakthis Kumar (@sakthis). https://dev.to/sakthis https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F154303%2F63553930-3e99-4d4d-bd62-288600a325cb.jpg https://dev.to/sakthis en Sakthis Kumar Tue, 26 May 2020 09:06:57 +0000 https://dev.to/sakthis/azure-ssl-certificate-webapp-waf-1kgb https://dev.to/sakthis/azure-ssl-certificate-webapp-waf-1kgb <p>Recently happen to come across a scenario where the SSL certificate (in Azure) was auto-renewed and Azure Web Application Firewall (WAF) SSL offloading went kaput! </p> <p>The setup!<br> Internet --&gt; Azure WAF --&gt; Azure WebApp</p> <p>Auto-renewed Cert is in KeyVault (KV). Though the KV gives you an option to export the certificate you will end up getting the "Password for the certificate is wrong" error/notification </p> <p>Following is what I managed to do get the certificate successfully imported into WAF listener </p> <p><b>Login to Azure and set the subscription</b> <br> Login-AzureRmAccount<br> Set-AzureRmContext -SubscriptionId xxxxx-xxxxx </p> <p><b>Download Certificate stored as PFX as Secret</b> <br> $vaultName = "<i>yourvaultname</i>"<br> $keyVaultSecretName = "<i>secretname</i>"<br> $secret = Get-AzureKeyVaultSecret -VaultName $VaultName -Name $keyVaultSecretName</p> <p><b>Create PFX Object from the Secret we received</b><br> $pfxCertObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)</p> <p><b>Create a Password to associate with the PFX </b><br> $pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})</p> <p><b>Notedown the pfx password by checking</b> <i>(you will need this to import the certificate in the WAF")</i><br> $pfxPassword<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--DGYwk6S2--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/2eo788yh1cf0r3k9znrn.jpg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--DGYwk6S2--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/2eo788yh1cf0r3k9znrn.jpg" alt=""></a></p> <p><b>Write the PFX Object to file System and add a password to it </b><br> $currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath</p> <p>[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath</p> <p>[io.file]::WriteAllBytes("C:\tmp\appservicecertificate.pfx",$pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))</p> <p>You should be able export the certificate from your local drive<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--E4MajEhS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/cn6e2qxrshtzwd1ggk7n.jpg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--E4MajEhS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/cn6e2qxrshtzwd1ggk7n.jpg" alt=""></a></p> <p><b> Time to Import the SSL Certificate in WAF!</b><br> (Az Portal) Home -&gt; Applciation Gateway -&gt; Listeners -&gt; <i> Your Listener Name </i> -&gt; Certificate -&gt; Select "Renew or edit selected certificate" and follow the onscreen instructions to import the renewed certificate.. </p> azure security sslcertificate azurewebapplicationfirewall