question

FergalCassidy-2488 avatar image
0 Votes"
FergalCassidy-2488 asked JamesTran-MSFT commented

How to configure IIS to use a cert that is on KeyVault on Azure

I am running a VM on Azure that has IIS and two apps. The first is "Default Web Site" and is the one I am working on now. I bought a SSL cert from GoDaddy for the domain. (subdomain.site.com) and generated the cert from Azure KeyVault. I recieved the cert back and added it to the Vault successfully. I used the script below to add KeyVault to my server via the Azure CLI.

 # Start the deployment
  az vm extension set --name "KeyVaultForWindows" `
  --publisher Microsoft.Azure.KeyVault `
  --resource-group "<resourcegroup>" `
  --vm-name "<vmName>" `
  --settings '{\"secretsManagementSettings\": { \"pollingIntervalInS\": \"3600\", \"certificateStoreName\": \"MY\", \"certificateStoreLocation\": \"LocalMachine\", \"observedCertificates\": [\" MY CERT LINK\", \" <observedCert2> \"] }}'

I filled in roughly what I used MY for cert store and LocalMachine for location. I then added the link to the end of the cert that was added successfully earlier.

This ran successfully with no errors. I now want to add this SSL cert to the bindings on IIS. After spending awhile trying to complete this I still have not been able to. The cert is on Vault and is valid. The vault seems to be linked with the cert in the settings and seems to be valid however there is still no cert showing up for the bindings

windows-serverwindows-server-iisazure-key-vault
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered JamesTran-MSFT commented

@FergalCassidy-2488
Thank you for the detailed post!

Based off your issue, this sounds like it could be more of an IIS type issue since everything is working as expected from the Azure Key Vault side of things. When it comes to securing your web server I did find one document - Tutorial: Secure a web server on a Windows virtual machine in Azure with TLS/SSL certificates stored in Key Vault, that might help you with this issue. However, I'd also recommend waiting for our IIS team to take a look into this issue to see if they can provide any insights on this.



Feel free to share any screenshots, so our community can better troubleshoot this issue.
Thank you for your time and patience throughout this issue.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Is there any way to refer it on to the IIS team?

0 Votes 0 ·

124331-screenshot.png




I've tried to go run through that tutorial and by the looks of things the script is in the MY store. I went into the VM via RDP after running the final script of the tutorial and it still isn't bound or showing as an option.

0 Votes 0 ·
screenshot.png (25.0 KiB)

GENERAL
Provisioning state Provisioning failed.
The secret retrieved from https://measuresoft-keyvault.vault.azure.net/secrets/xxx-SSLCERT/XXXXX is not a properly encoded Base64 string..
CertificateImproperlyFormatted

is the error received while trying to set the cert to the vm

0 Votes 0 ·
Show more comments