I'm searching for a reliable solution to issue TLS certificates for my Application Gateways that manage incoming requests. I noticed that Azure App Service certificates might work with App Gateways, but they have certain limitations, like not allowing custom Subject Alternative Names (SANs) during certificate issuance.
I've also learned that Azure Key Vault can integrate with a Certificate Authority (CA) like DigiCert for automatic certificate creation and renewal, with the added benefit of providing SANs.
Microsoft has documentation on how to create a new certificate and set up the CA provider, but I'm confused about the DNS validation process. How exactly does it verify domain ownership? Is this validation performed manually after the certificate is created?
I'm also curious to hear about others' experiences using Key Vault certificates with DigiCert. Was the experience smooth?
Thanks for any insights!
2 Answers
For DigiCert, the validation process depends on your status with them. Just a heads-up, their services can be on the pricey side, so you might want to think twice about it. I’d suggest setting up an automated pipeline with Azure DevOps or GitHub Actions for your ACME operations and store the cert in Key Vault. I actually wrote a script in PowerShell that used PoSH-ACME to handle the private key and CSR securely through Key Vault.
Also, keep in mind that if you're using an App Gateway, the certificate must be exportable. You’ll need to manage Key Vault access through IAM instead of using Access Policies, which makes everything easier in the long run. Naming your certificate configurations clearly in the App Gateway can help you later when you need to reference them with PowerShell or Azure CLI.
If you're looking for a simpler solution, check out acmebot for Key Vault. It's super easy to use and manages all your certificate renewals for a minimal cost. Running it as an app service worked well for me.
A while back, I wrote a script that automates the process of saving certificates into a Key Vault for reuse with my services. It's been reliable over the years, and I don’t remember it failing me yet! If you're interested, I can share it with you.
Thanks for the detailed reply! When you said, "it will be increasingly irrelevant as the certificate lifetime decreases," could you clarify that? More renewals could be a good thing because Key Vault manages them, right?