1

Previously, we were storing our certificates in a key vault secret. But as this function is deprecated we are now storing the certificates in the Key vault -> Certificates.

enter image description here

When deploying an appservice to azure, we make use of this part of the ARM template to get the certificate. This one is still getting the certificate from the secret, instead of from the certificates.

"resources": [
        {
            "type": "Microsoft.Web/certificates",
            "name": "[variables('certName1')]",
            "apiVersion": "2019-08-01",
            "location": "[variables('location')]",
            "properties": {
                "keyVaultId": "[resourceId(variables('vaultSubscriptionId'),variables('vaultResourcegroupName'),'Microsoft.KeyVault/vaults', variables('vaultName'))]",
                "keyVaultSecretName": "[variables('vaultSecretName1')]"
            }
        },
        {
            "type": "Microsoft.Web/certificates",
            "name": "[variables('certName2')]",
            "dependsOn": [
                "[resourceId('Microsoft.Web/certificates', variables('certName1'))]"
            ],
            "apiVersion": "2019-08-01",
            "location": "[variables('location')]",
            "properties": {
                "keyVaultId": "[resourceId(variables('vaultSubscriptionId'),variables('vaultResourcegroupName'),'Microsoft.KeyVault/vaults', variables('vaultName'))]",
                "keyVaultSecretName": "[variables('vaultSecretName2')]"
            }
        },

We are now getting the certificate with the keyVaultSecretName, but we don't want to use the keyvaultsecret anymore to get the certificate, but directly from Certificates. But I can't find how to do this. I am getting errors when removing the property keyVaultSecretName. Or when I leave it there, it can't find the certificate.

1408786user
  • 1,868
  • 1
  • 21
  • 39
  • how about using the related command-line to get the certificate from Azure key vault? Maybe you can try the "[az keyvault certificate](https://learn.microsoft.com/en-us/cli/azure/keyvault/certificate?view=azure-cli-latest)" command or the PowerShell command "[Get-AzKeyVaultCertificate](https://learn.microsoft.com/en-us/powershell/module/az.keyvault/get-azkeyvaultcertificate?view=azps-5.6.0)" in your pipeline. – Bright Ran-MSFT Mar 17 '21 at 07:39
  • It ended up that we did not need the Microsoft.Web/certificates in our arm. We had to manually import the certificate for each region via a random app service in that region -> TLS/SSL settings -> Private Key Certificates (.pfx) -> Import Key Vault Certificate. We are only using 3 regions, so that was not a big deal. After that, our arm was working without the Microsoft.Web/certificates resources in our arm. – 1408786user Mar 17 '21 at 11:07
  • Hi @1408786user, glad that you have solve the problem. If possible, could you please post an answer with the summary of your workaround. This may be also very helpful to other people who are looking for a solution for the similar problems. Thanks. – Bright Ran-MSFT Mar 29 '21 at 07:52

1 Answers1

0

In your pipelines on Azure DevOps, if you want to use the Certificates stored in Key vault on Azure Portal, normally you should access the Certificates via a variable group on Azure DevOps.

  1. Set up the variable group.

enter image description here

  1. Link the variable group into the pipeline where you need to use the Certificates.

enter image description here

[UPDATE]

It seems that you should use the "keyVaultSecretName" to get the certificates, it is the predefined Certificate property. See here.

I also find some related articles, and found that all of them are using the "keyVaultSecretName".

Bright Ran-MSFT
  • 5,190
  • 1
  • 5
  • 12
  • It's setup like that. And working with the arm as shown in my post. But only when the certificate is stored in a secret, not when it's stored in certificates. So I gues we need to modify the arm. But I can't find what it should be? – 1408786user Mar 03 '21 at 13:14
  • Hi @1408786user, I have updated my above answer with more information. Please check it. – Bright Ran-MSFT Mar 04 '21 at 07:39
  • 1
    With keyVaultSecretName it was working. But that option is deprecated, so we are looking for a solution to read it directly from key vault certificates instead of key vault secrets. – 1408786user Mar 06 '21 at 20:18