Using SSL certificates to encrypt traffic between clients and your web apps or APIs in Azure is an important security measure. SSL certificates allow traffic to be encrypted using HTTPS, preventing snooping or manipulation of data in transit. However, SSL certificates do expire periodically and need to be renewed to maintain security.
Azure Application Gateway is a service that enables load balancing of web traffic and provides other Layer 7 routing capabilities. When using Application Gateway, you can associate one or more SSL certificates with the gateway to handle HTTPS connections. If your SSL certificate is expiring soon or has already expired, you will need to update the certificate associated with the Application Gateway.
Prerequisites
Before updating an SSL certificate in Application Gateway, you should have the following:
- An active Azure subscription
- An existing Application Gateway instance configured
- A valid SSL certificate file in .pfx format and the password for the certificate
- Permission to modify the Application Gateway in your Azure subscription
The SSL certificate file must contain the private key and cannot be expired. You will need to upload this .pfx file to Azure to update the certificate.
Steps to Update an Expired SSL Certificate
Follow these steps to upload a new SSL certificate and associate it with your Application Gateway:
1. Obtain a New SSL Certificate
First, you need to purchase or generate a new valid SSL certificate for your domain if you don’t already have one. This certificate should be exported into a .pfx file that contains the private key. Be sure to record the password for this .pfx file.
Consider using certificates from trusted Certificate Authorities like DigiCert, RapidSSL, or GoDaddy. Self-signed certificates are not recommended for production environments.
2. Upload .pfx File to Azure
In the Azure portal, navigate to the Application Gateway resource. From the Settings section, choose “SSL certificates”. Click + Add to add a new certificate.
Provide a Name for the certificate like “mydomain-2023”. For the Certificate File, select the new .pfx file containing your certificate. Enter the Password that secures the .pfx file.
Leave the other options as default and click Add to upload this new SSL certificate into Azure.
3. Update Listener to use New Certificate
Navigate to the Listeners section under Settings for the Application Gateway. Click on the existing HTTPS listener that is still using the old expired certificate.
In the Certificate section, use the dropdown to select the new SSL certificate you just uploaded. Save the changes to this listener.
This will now associate the new valid certificate with the HTTPS listener, replacing the old expired one.
4. Restart Application Gateway
For the new certificate to fully take effect, you need to restart the Application Gateway resource.
Under Operations, click Restart. Confirm you want to restart the gateway. The restart should only take a minute or two to complete.
Your Application Gateway will now be using the new SSL certificate for handling HTTPS traffic. The old expired certificate will no longer be used.
Automating SSL Certificate Updates
Manually updating SSL certificates in the Azure portal can be tedious when managing many application gateways or certificates. Some ways to automate this include:
- Azure PowerShell – Use PowerShell commands like Add-AzApplicationGatewaySslCertificate and Set-AzApplicationGateway to programmatically update certificates.
- Azure CLI – Upload new certs with az network application-gateway SSL-cert create. Then update the gateway with az network application-gateway update.
- Azure Resource Manager Templates – Define the application gateway resources and properties as code, including the SSL certificate to use. Redeploying the template will automatically rotate certificates.
- Azure Key Vault – Store certificates in Key Vault and reference them in Application Gateway configurations. Certificates can auto-rotate based on policies.
- Azure Managed Certificates – Integrate Application Gateway with App Service domains and managed certificates. Certs are auto-renewed by Azure.
Automating certificate updates improves reliability and reduces the risk of downtime due to an expired certificate.
Troubleshooting Common Certificate Issues
When updating SSL certificates, some common problems include:
- Old certificate still in use – Restart gateway after updating listener certificate
- Certificate chain issues – Ensure full intermediate chain is included
- Incorrect certificate password – Double check password when uploading .pfx file
- Authorization problems – Check service principal used has needed permissions
- Invalid certificate file – Confirm .pfx contains private key and matches domain
- Outdated gateway config – Some properties may need to be updated after adding new cert
Checking the application gateway health, logs, and restarting may help troubleshoot certificate problems. Also confirm the new certificate was properly uploaded and integrated.
Conclusion
It’s important to monitor SSL certificate expirations and promptly update certificates in Azure Application Gateway. Allowing certificates to expire can lead to loss of encrypted traffic and errors.
Uploading a new .pfx certificate file and associating it with the gateway’s listeners will replace the old cert. Automation can streamline this process at scale. With an understanding of the proper certificate update steps, you can maintain application security and availability.
