Use Azure Application Gateway with the certbot wild card certificate stored within the Azure Key Vault

A follow on from the Azure wildcard certbot certificate with Azure DNS TXT updates, this part is to store the wild card SSL certificate that certbot created and place into azure key vault.

So in essence the process is to

  1. Check for new certificates via the certbot renewal process
  2. If there is a new certificate create a PFX
  3. Upload this PFX file into the key store

So, to start with lets obtain a new certificate (if there is one!!) , please change your domain name to the domain name that you using, the preferred challenge should be to whatever you have setup to be the default process for this certificate, I am using the azure DNS zone so using the azure certbot-azure-dns certbot plugin

certbot certonly –manual -d ‘*.<domain name>’ –preferred-challenges=dns

The next part is the most important part!, it is creating the PFX file from the new ticket! Please note you have to pass in the whole key chain e.g the chain / fullchain files. (change the domain name again to what you are using)

openssl pkcs12 -export -out <domain name>.pfx -inkey /etc/letsencrypt/live/<domain name>/privkey.pem -in /etc/letsencrypt/live/<domain name>/cert.pem  -in /etc/letsencrypt/live/<domain name>/cert.pem -in /etc/letsencrypt/live/<domain name>/chain.pem -in /etc/letsencrypt/live/<domain name>/fullchain.pem

And then the last part is to just upload that certificate into the azure key vault (you have to have enabled the managed identity for key vault of the service you are using)

az keyvault certificate import –vault-name “<key vault name>” -n “<certificate common name in the file store e.g my domin>” -f <domain name>.pfx

AND THAT IS IT 🙂 — if you need any more advice on certain areas please say!

Leave a Reply

Your email address will not be published. Required fields are marked *