Azure SSL Certificate! WebApp!! WAF!!!

sakthis profile image Sakthis Kumar ・2 min read

Recently happen to come across a scenario where the SSL certificate (in Azure) was auto-renewed and Azure Web Application Firewall (WAF) SSL offloading went kaput!

The setup!
Internet --> Azure WAF --> Azure WebApp

Auto-renewed Cert is in KeyVault (KV). Though the KV gives you an option to export the certificate you will end up getting the "Password for the certificate is wrong" error/notification

Following is what I managed to do get the certificate successfully imported into WAF listener

Login to Azure and set the subscription
Set-AzureRmContext -SubscriptionId xxxxx-xxxxx

Download Certificate stored as PFX as Secret
$vaultName = "yourvaultname"
$keyVaultSecretName = "secretname"
$secret = Get-AzureKeyVaultSecret -VaultName $VaultName -Name $keyVaultSecretName

Create PFX Object from the Secret we received
$pfxCertObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)

Create a Password to associate with the PFX
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})

Notedown the pfx password by checking (you will need this to import the certificate in the WAF")

Write the PFX Object to file System and add a password to it
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath

[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath

[io.file]::WriteAllBytes("C:\tmp\appservicecertificate.pfx",$pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))

You should be able export the certificate from your local drive

Time to Import the SSL Certificate in WAF!
(Az Portal) Home -> Applciation Gateway -> Listeners -> Your Listener Name -> Certificate -> Select "Renew or edit selected certificate" and follow the onscreen instructions to import the renewed certificate..

Posted on by:

sakthis profile

Sakthis Kumar


Passionate about Cloud Solutions | Global Azure Bootcamp (Singapore) Organizer |


markdown guide