@ozbobwa Thanks for your response and follow-up questions on this.
1.You say "If the secret version isn't specified", I am using a certificate not a secret, and i am not specifiying the Keyvault certificate version. Could the Azure WebApp have stored the version ID of the KeyVault certificate?
Sorry for the confusion here, the above information is related to key vault secret rotation.
2."automatically updates ... using the latest version within 24 hours" I will upload my new RapidSSL certificate file into keyVault and wait 24 hours. If the certificate has not automatically updated I will report back. Were you refering to this feature? https://azure.microsoft.com/en-us/updates/automated-key-rotation-in-azure-key-vault-is-now-available/ there is reference to this document: https://learn.microsoft.com/en-au/azure/key-vault/keys/how-to-configure-key-rotation but I am not sure that will work if my certificate originates from an external CA.
It is clearly called out in the documentation here, that if you update the certificate in keyvault App service will automatically sync the certificate within 24 hours.
For more information you can refer to when updating(renew) a certificate section in this documentation.
Hope this helps, let me know if you have any further questions on this.