none
Error when linking App Service Certificate to Key Vault RRS feed

  • Question

  • We have problems using our App Service Certificates with Azure Key Vault. Basically the step "Certificate Configuration > Step 1: Store." as described in the tutorial on https://docs.microsoft.com/en-us/azure/app-service/web-sites-purchase-ssl-web-site fails.

    More specficially, we purchased App Service Certificates in the past, set them to auto-renew and bound them to our Web Service via Azure Key Vault. Upon expiry of these certificates, however, they got renewed, but the link to our Key Vault somehow got broken.

    As a result, there is a warning shown in the overview blade of the corresponding App Service Certificate page. It says "configured [sic] required key vault store". If we then click on that message (or on "status" symbol), the "step 1 (store)" box is unchecked. Then clicking on that box lets us select the key vault or create a new vault, but making either selection results in an error ("Failed to link certificate with the selected key vault. Check below for more detail: InternalServerError, an error has occured").

    The Key Vault is in the same subscription as the App Service Certificate and the concerned Web Service. Web Service/App Service Certificate and Key Vault are not in the same resource group, but the issue persists if we create a key vault in the same resource group and try to store the App Service Certificate to that Key Vault.

    Access Permissions on the Key Vault are as follows:

    Microsoft.Azure.CertificateRegistration has Secrets: Get/Set/Delete permissions

    Microsoft.Azure.CertificateRegistration has Secrets: Get permissions

    The old (expired) certificates are listed in the Key Vault as user secrets, and are used by the Web Service, i.e. show up correctly in the SSL Bindings blade of the concerned app services.

    Any ideas how to solve / work around this?

    Sunday, September 1, 2019 10:06 AM

Answers

  • Update on the original post:

    Meanwhile we contacted Azure Support on this issue. They confirmed that the behaviour described above was not intended and that they were working on the issue.

    We now checked on Azure Portal and were able to store the App Service Certificate in the Key Vault, i.e. the problem seems to be fixed now, at least for us.

    Importing the App Service Certificate in our App Service required the following additional steps, though:

    1. after storing the App Service Certificate in the Key Vault (the aforementioned step "Certificate Configuration > Step 1: Store." as described in the tutorial on https://docs.microsoft.com/en-us/azure/app-service/web-sites-purchase-ssl-web-site), navigate to App Service->TLS/SSL Settings

    2. Delete SSL Binding (note down settings for later reuse)

    3. on register private key certificates, delete old private certificate

    4. click "Import App Service Certificate", select the App Service Certificate stored in the Key Vault in step 1

    5. on register Bindings, click Add Binding, select the now available new certificate and enter other settings as noted in step 2

    That should be all.



    Monday, September 2, 2019 8:32 AM

All replies

  • I get similar issue when buying a new certificate.

    I get:
    Failed to link certificate with the selected Key Vault. Check below errors for more detail.: An error has occurred.

    certificate and key-valut are in the same region, sane resource group and same subscription.

    Sunday, September 1, 2019 4:32 PM
  • I have the exact similar issue, can anyone help? I am not able to setup the link to my Azure Key Vault.
    Sunday, September 1, 2019 6:44 PM
  • Update on the original post:

    Meanwhile we contacted Azure Support on this issue. They confirmed that the behaviour described above was not intended and that they were working on the issue.

    We now checked on Azure Portal and were able to store the App Service Certificate in the Key Vault, i.e. the problem seems to be fixed now, at least for us.

    Importing the App Service Certificate in our App Service required the following additional steps, though:

    1. after storing the App Service Certificate in the Key Vault (the aforementioned step "Certificate Configuration > Step 1: Store." as described in the tutorial on https://docs.microsoft.com/en-us/azure/app-service/web-sites-purchase-ssl-web-site), navigate to App Service->TLS/SSL Settings

    2. Delete SSL Binding (note down settings for later reuse)

    3. on register private key certificates, delete old private certificate

    4. click "Import App Service Certificate", select the App Service Certificate stored in the Key Vault in step 1

    5. on register Bindings, click Add Binding, select the now available new certificate and enter other settings as noted in step 2

    That should be all.



    Monday, September 2, 2019 8:32 AM
  • Thanks for sharing your solution!

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Thursday, September 5, 2019 12:16 AM
    Moderator