Error when adding certificate to Azure App Gateway from Key Vault

Christiaan Westgeest 46 Reputation points
2021-06-21T15:25:10.967+00:00

I'm trying to set up an App Gateway to handle http and https traffic to a VM. Adding the http listener/rule was a breeze, but https is giving me trouble.

I have a PEM file uploaded as a certificate to a Key Vault. The file contains the cert, intermediate cert and key. It has no password set.
If I try to assign this certificate to a https listener from the Key Vault I always get the following error: 

Data or Password for certificate /subscriptions/{subscription}/resourceGroups/rg-grafana-test/providers/Microsoft.Network/applicationGateways/ag-grafana-test/sslCertificates/https-listenervaultCert is invalid.

From what the Key Vault displays, everything seems present and correct for the PEM file, with one exception. When I look (in Portal) at the properties for the cert, there is an error 'The value must not be empty' shown under the Expiration Date fields. These fields are in fact filled (correctly) and greyed out / non-editable. I tried uploading the PEM again under a different name, but it shows the same error. Not sure if this indicates an actual problem or if its merely a bug.
Other than that, fields like Subject, Issuer, Alternative Names, etc. all show the expected values.

I ran an OpenSSL cert chain check against the PEM file. This too looks normal: 

subject=CN = *.{wildcard-domain-name}
issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2

subject=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
issuer=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

So, it seems as if the cert is in order, but still not accepted by the Gateway. What could be the cause of this, and what can I do to resolve this?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,135 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
965 questions
0 comments
Accepted answer
  1. SaiKishor-MSFT 17,201 Reputation points
    2021-07-19T20:46:27.77+00:00

    @Christiaan Westgeest Thank you for reaching out to Microsoft Q&A. We apologize for the delay in responding to your issue.

    I understand that you are facing issues with adding certificate to Azure APP GW from Key vault where you are getting the error as mentioned.

    I see that you are using a PEM certificate here which is not supported for App GW. App GW supports PFX certificate. Please convert the pem to pfx and upload the same and let us know if you still have any issues with the same.

    Here is a link with a similar issue and steps to convert the same: https://stackoverflow.com/questions/808669/convert-a-cert-pem-certificate-to-a-pfx-certificate

    Hope this helps. Please let us know if you have any further issues/concerns and we will be glad to assist you. Thank you!

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest