A follow on from the Azure wildcard certbot certificate with Azure DNS TXT updates, this part is store the wild card SSL certificate that certbot created and place into azure key vault.
I am going to break this down into 2 parts So, to start with I create a script to basically use on your linux server and the second is via the application gateway
- clean out any old processing of the certificates
- pull down the certificate from the azure key vault store
- convert the PFX certificate into the
- full chain
- private key
- update the nginx hosting certificate files
- reload nginx
So here are the steps in full, I am using a sub directory called “certs” to process the certificate
echo “clean out the certs”
rm certs/*
Change the following to your azure key vault and wildcard certificate name, please note we have to use the encoding base64
az keyvault secret download –file certs/wild.pfx –id https://<azure key vault name>.vault.azure.net/secrets/<certificate name> –encoding base64
And now just convert that PFX file into the private key and then the full certificate file (I am channing the client certificates and the CA certificates into the full.crt file)
openssl pkcs12 -in certs/wild.pfx -passin pass: -nocerts -nodes -out certs/priv .key
openssl pkcs12 -in certs/wild.pfx -passin pass: -clcerts -nokeys -out certs/ful l.crt
openssl pkcs12 -in certs/wild.pfx -passin pass: -cacerts -nokeys -chain >> cer ts/full.crt
And then just push the certs folder into the nginx configured ssl directory that links to your nginx configure SSL options
cp certs/* /etc/nginx/ssl/<domain name>/
final part, reload nginx to use the new certificate!
systemctl reload nginx
To use on the Application Gateway — well that is very simple as just going to the application gateway -> listeners -> choose your listener you want to update and then choose the certificate from the key vault.
AND THAT IS IT 🙂 — if you need any more advice on certain areas please say!