question

MarcGeorge-9076 avatar image
0 Votes"
MarcGeorge-9076 asked SnehaAgrawal-MSFT answered

Certificate in KeyVault Persistance?

An existing app service has an Azure certificate assigned which, from my understanding, is stored in the key vault. If I examine the key vault's certificates, it is not listed. However if a PowerShell keyvault command is executed against the certificate, which I am interested in, it does not error, indicating to me that it is in the vault.

I want to totally replace the app service, i.e. delete and create a new one. I want to use the current certificate in the new service. Will the current service deletion delete the certificate from the vault?

azure-webapps-ssl-certificates
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for reaching here! Could you please confirm your app service is assigned to which certificate?

If its free App Service managed certificate (A private certificate that's free of charge and easy to use if you just need to secure your custom domain in App Service.) or purchased an App Service certificate ( A private certificate that's managed by Azure. It combines the simplicity of automated certificate management and the flexibility of renewal and export options.)

Let us know to help you better on this.


0 Votes 0 ·

@SnehaAgrawal-MSFT The certificate was issued by Digicert and covers the primary domain and three sub-domains.

0 Votes 0 ·

1 Answer

SnehaAgrawal-MSFT avatar image
0 Votes"
SnehaAgrawal-MSFT answered

Thanks! The free certificate is issued by DigiCert. So if you delete the App service the certificate will also be deleted. As its mentioned in the document that:

The free App Service managed certificate is a turn-key solution for securing your custom DNS name in App Service. It's a TLS/SSL server certificate that's fully managed by App Service and renewed continuously and automatically in six-month increments, 45 days before expiration. You create the certificate and bind it to a custom domain, and let App Service do the rest.

The free certificate comes with the following limitations:
• Does not support wildcard certificates.
• Does not support usage as a client certificate by certificate thumbprint (removal of certificate thumbprint is planned).
• Is not exportable.
• Is not supported on App Service not publicly accessible.
• Is not supported on App Service Environment (ASE).
• Is not supported with root domains that are integrated with Traffic Manager.
• If a certificate is for a CNAME-mapped domain, the CNAME must be mapped directly to <app-name>.azurewebsites.net.

Since this is free of cost once you deleted your old app service you can assign another certificate with newly created app service.
To secure a custom domain with this certificate, you need to create a certificate binding for new app service.

Helpful documents links:

https://docs.microsoft.com/en-gb/azure/app-service/configure-ssl-certificate#create-a-free-managed-certificate
https://docs.microsoft.com/en-gb/azure/app-service/configure-ssl-bindings#secure-a-custom-domain

Let us know if further question on this or issue remains.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.