Azure : Renewing the SSL Certificate of the Azure Application Gateway

Introduction

Today’s post is about changing the SSL Certificate of an Application Gateway. Why a post about this? Isn’t it a more upload button… You would think so. When creating the listener, it’s a nice & easy UI. Though I guess someone forgot the renew flow. 😉 This is the screen when you take a look at the HTTP listener. We see the certificate, but no way to edit this part…

2017-02-03-11_29_34-appgatewayhttpslistener-microsoft-azure

So we’ll have to do this manually, via powershell!

 

Updating the Certificate

First get your application gateway ;

2017-02-03-11_14_05-windows-powershell

 

And find your certificate ;

2017-02-03-11_13_35-windows-powershell

Next up ; Delete it…

2017-02-03-11_13_17-windows-powershell

Add the certificate ; 2017-02-03-11_13_00-windows-powershell

And save the configuration

2017-02-03-11_12_27-windows-powershell

And that was it! (bare in mind, the last step takes a while)

 

The Code


$agw = Get-AzureRmApplicationGateway -Name myname

Remove-AzureRmApplicationGatewaySslCertificate -Name my.domain.tld -ApplicationGateway $agw

Add-AzureRmApplicationGatewaySslCertificate -Name "my.domain.tld" -CertificateFile .\path\to\my.domain.tld.pfx -Password "MyNotSoSecretPassword" -ApplicationGateway $agw

Set-AzureRmApplicationGateway -ApplicationGateway $agw

11 thoughts on “Azure : Renewing the SSL Certificate of the Azure Application Gateway

  1. Nice post! :). Always a hassle changing out certificates, think of ADFS and WAP :).

  2. Great post;
    I encounter an issue while running the last command: Set-AzureRmApplicationGateway -ApplicationGateway $agw
    I get:
    Set-AzureRmApplicationGateway : Resource subscriptions/…/OldCert referenced by resource /subscriptions/…/CurrentListener was not found. Please make sure that the referenced resource exists, and that both resources are in the
    same region.

    Any ideas why?

  3. What’s the output of ; $agw (or when you “Get-AzureRmApplicationGateway -Name myname”)?

  4. I’ve had no luck with this script. I’m sure it’s something I’m doing wrong. Also, you need to pass in -ResourceGroupName or it breaks.

  5. Scratch that. The script IS working, but as mentioned earlier, you still need to pass in resource group name:

    $agw = Get-AzureRmApplicationGateway -Name -ResourceGroupName

  6. I had to add the new cert and commit it before removing the old one to get this to work correctly.

  7. Am I the only one who can’t verify certificate deletion in portal? Seems only possible to verify in powershell?

    1. Is it a passphrase protected certificate? If that’s the case, then I can concur on the sentiment. Best thing to do is open a support case for it, so that the attention rises towards the issue.

  8. Sorin, I encountered the same error with you.
    If you change the name of the certificate, the command doesn’t work! It outputs the error you mentioned.
    That’s because in this case, the listener still has the old certificate name (it isn’t updated with the above commands).
    So, the above commands work ONLY if you keep the same certificate name (you can find it in the portal, at ‘Listeners’).

    it would be nice if someone finds the commands how to change the certificate name too.

  9. Hi All,
    thanks for the post, but how can I check if the certificate is about to expire? Is there a way to see this date?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.