DEV Community

Sakthis Kumar
Sakthis Kumar

Posted on

1 1

Azure SSL Certificate! WebApp!! WAF!!!

Recently happen to come across a scenario where the SSL certificate (in Azure) was auto-renewed and Azure Web Application Firewall (WAF) SSL offloading went kaput!

The setup!
Internet --> Azure WAF --> Azure WebApp

Auto-renewed Cert is in KeyVault (KV). Though the KV gives you an option to export the certificate you will end up getting the "Password for the certificate is wrong" error/notification

Following is what I managed to do get the certificate successfully imported into WAF listener

Login to Azure and set the subscription
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId xxxxx-xxxxx

Download Certificate stored as PFX as Secret
$vaultName = "yourvaultname"
$keyVaultSecretName = "secretname"
$secret = Get-AzureKeyVaultSecret -VaultName $VaultName -Name $keyVaultSecretName

Create PFX Object from the Secret we received
$pfxCertObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)

Create a Password to associate with the PFX
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})

Notedown the pfx password by checking (you will need this to import the certificate in the WAF")
$pfxPassword

Write the PFX Object to file System and add a password to it
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath

[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath

[io.file]::WriteAllBytes("C:\tmp\appservicecertificate.pfx",$pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))

You should be able export the certificate from your local drive

Time to Import the SSL Certificate in WAF!
(Az Portal) Home -> Applciation Gateway -> Listeners -> Your Listener Name -> Certificate -> Select "Renew or edit selected certificate" and follow the onscreen instructions to import the renewed certificate..

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

Top comments (0)

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay