Recently happen to come across a scenario where the SSL certificate (in Azure) was auto-renewed and Azure Web Application Firewall (WAF) SSL offloading went kaput!
The setup!
Internet --> Azure WAF --> Azure WebApp
Auto-renewed Cert is in KeyVault (KV). Though the KV gives you an option to export the certificate you will end up getting the "Password for the certificate is wrong" error/notification
Following is what I managed to do get the certificate successfully imported into WAF listener
Login to Azure and set the subscription
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId xxxxx-xxxxx
Download Certificate stored as PFX as Secret
$vaultName = "yourvaultname"
$keyVaultSecretName = "secretname"
$secret = Get-AzureKeyVaultSecret -VaultName $VaultName -Name $keyVaultSecretName
Create PFX Object from the Secret we received
$pfxCertObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
Create a Password to associate with the PFX
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
Notedown the pfx password by checking (you will need this to import the certificate in the WAF")
$pfxPassword
Write the PFX Object to file System and add a password to it
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes("C:\tmp\appservicecertificate.pfx",$pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
You should be able export the certificate from your local drive
Time to Import the SSL Certificate in WAF!
(Az Portal) Home -> Applciation Gateway -> Listeners -> Your Listener Name -> Certificate -> Select "Renew or edit selected certificate" and follow the onscreen instructions to import the renewed certificate..
Top comments (0)