Azure WebApp custom domain not auto-update binding from KeyVault Certificate

ozbobwa 21

I have a webapp and a custom domain, secured with a SSL certificate binding and the externally provided and uploaded certificate in KeyVault.

The certificate was updated and a new version recorded in KeyVault.

Today when the original cert expired, the new cert was not bound to the custom domain.

When an azure webapp has a custom domain

and the certifcate is in KeyVault

and it is secured with a binding to a SSL certificate

When the KeyVault Certification is updated

and the original certificate expires

Expect the new KeyVault certificate to be used in the binding of the WebApp custom domain.

Today when the original cert expired, the new cert was not bound to the custom domain, I had to manually update it by choosing the new KeyVault certificate binding.

How do i configure Azure Keyvault and Azure WebApp to auto-update the certificate binding?

VenkateshDodda-MSFT 18,946 Reputation points Microsoft Employee

2024-05-03T10:50:52.6266667+00:00
@ozbobwa Thanks for reaching out to Microsoft Q&A, apologize for any inconvenience caused on this.

Based on the information shared, I understand that you are referencing the SSL certificate of your custom domain in app service using keyvault and today you have renew and update the key vault reference version and app service didn't get updated with the latest certificate.

Also, you want to know configure/auto-update the certificate binding in app service when there is change in keyvault.

Correct me if my understanding is wrong.

Ideally, If the secret version isn't specified in the reference,the app uses the latest version that exists in the key vault. When newer versions become available, such as with a rotation event, the app automatically updates and begins using the latest version within 24 hours.

The delay is because App Service caches the values of the key vault references and refetches it every 24 hours.

If you don't want to wait for 24hours then Any configuration change to the app causes an app restart and an immediate re-fetch of all referenced secrets.

You can refer to this documentation for more information about secrets rotation and also how to use key vault references in Azure App Service.

Hope this helps let me know if you have any further questions on this.
VenkateshDodda-MSFT 18,946 Reputation points Microsoft Employee

2024-05-06T04:21:06.7333333+00:00

Hello @ozbobwa ,

Following up to see if you have a chance to check my previous response and helped. Do let us know if you have any further questions on this.
ozbobwa 21 Reputation points

2024-05-06T07:03:33.8+00:00

@VenkateshDodda-MSFT thanks for the reply, I have a case raised with MSFT Azure App Services helpdesk.

1

You say "If the secret version isn't specified", I am using a certificate not a secret, and i am not specifiying the Keyvault certificate version. Could the Azure WebApp have stored the version ID of the KeyVault certificate?

2

"automatically updates ... using the latest version within 24 hours"

I will upload my new RapidSSL certificate file into keyVault and wait 24 hours. If the certificate has not automatically updated I will report back.

Were you refering to this feature? https://azure.microsoft.com/en-us/updates/automated-key-rotation-in-azure-key-vault-is-now-available/ there is reference to this document: https://learn.microsoft.com/en-au/azure/key-vault/keys/how-to-configure-key-rotation but I am not sure that will work if my certificate originates from an external CA.
VenkateshDodda-MSFT 18,946 Reputation points Microsoft Employee

2024-05-15T05:33:07.5066667+00:00

Hello @ozbobwa ,

Following up to see if you have a chance to check my previous response and helped. Do let us know if you have any further questions on this.

1 answer

VenkateshDodda-MSFT 18,946 Reputation points Microsoft Employee

2024-05-06T10:52:04.1166667+00:00

@ozbobwa Thanks for your response and follow-up questions on this.

1.You say "If the secret version isn't specified", I am using a certificate not a secret, and i am not specifiying the Keyvault certificate version. Could the Azure WebApp have stored the version ID of the KeyVault certificate?

Sorry for the confusion here, the above information is related to key vault secret rotation.

2."automatically updates ... using the latest version within 24 hours" I will upload my new RapidSSL certificate file into keyVault and wait 24 hours. If the certificate has not automatically updated I will report back. Were you refering to this feature? https://azure.microsoft.com/en-us/updates/automated-key-rotation-in-azure-key-vault-is-now-available/ there is reference to this document: https://learn.microsoft.com/en-au/azure/key-vault/keys/how-to-configure-key-rotation but I am not sure that will work if my certificate originates from an external CA.

It is clearly called out in the documentation here, that if you update the certificate in keyvault App service will automatically sync the certificate within 24 hours.
For more information you can refer to when updating(renew) a certificate section in this documentation.

Hope this helps, let me know if you have any further questions on this.
Please sign in to rate this answer.
ozbobwa 21 Reputation points

2024-05-08T01:21:47.49+00:00

I have set WEBSITE_LOAD_CERTIFICATES to * and restartarted the webspp, still no update. I will wait 25 hours just to make sure and then report an issue.

ozbobwa 21 Reputation points

2024-05-09T04:00:47.93+00:00

The binding did not update automatically.

VenkateshDodda-MSFT 18,946 Reputation points Microsoft Employee

2024-05-09T04:21:30.3166667+00:00

@ozbobwa Thanks for your response, I understand that even after adding the app setting WEBSITE_LOAD_CERTIFICATES the updated certificate is not picked up by the app service post waiting for 24 hours as mentioned in the documentation. correct me if my understanding is wrong.

Can you try updating your app service to latest certificate by using this Certificates-Create or Update REST API and check.

Also, help us how you are checking whether the app service is using latest certificate or newly updated one.

ozbobwa 21 Reputation points

2024-05-16T02:30:53.96+00:00

The documentation

WEBSITE_LOAD_CERTIFICATES is set to *

and the certificate has now been updated for much longer than 24 hours

but still the only option offered in Azure WebApp Custom Domains, is to manually Update Binding.
Next year, and every year, when I manually get Rapid SSL pfx file and upload it in to KeyVault Certificate, as a new version, I expect the WebApp Custom Domains certificate bindings are automatically updated with in 24 hours.
Sign in to comment

Share via

Azure WebApp custom domain not auto-update binding from KeyVault Certificate

1 answer