Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to get a certificate for Azure Application Gateway HTTPS listener

I'm trying to set up an end-to-end SSL connection using Application Gateway to communicate to an AppService instance. The AppService instance has a custom domain with SSL.

Now I would like to secure the connection from the client to the Application Gateway. When adding an HTTPS listener for the gateway, I'm asked to upload a .pfx certificate. I have managed to set up the entire process with a self signed certificate, as described in this guide and here, however I couldn't find any information on how to generate a pfx certificate to assign to the listener in production.

My questions are the following:

  • The gateway can't be assigned a domain, and all I have is the public IP. How should this certificate be obtained in a production environment for it to work on that IP address?
  • Can I obtain it on Azure, or using a third-party service (if yes, any suggestion)?
like image 484
Luca Mozzo Avatar asked Oct 19 '25 11:10

Luca Mozzo


1 Answers

The gateway can't be assigned a domain, and all I have is the public IP. How should this certificate be obtained in a production environment for it to work on that IP address?

SSL certificates are not IP specific. In your case, for end-to-end SSL, you need:

  1. Create DNS record in your custom domain that will point to WAF IP
  2. Get certificate for from the commercial CA
  3. Create "multi-site" HTTPS listener on WAF using the cert and FQDN (host name, created at #1)
  4. Add existing app service as backend pool
  5. Add HTTP Settings with
    • backend protocol HTTPS
    • override hostname - Yes
    • Pick host name from backend target
  6. Create request routing rule to link listener with pool using HTTP Settings

Alternatively, you can update existing DNS record for app service to point to WAF IP and use existing cert to setup listener.

Can I obtain it on Azure, or using a third-party service (if yes, any suggestion)? You can use Azure Key Vault to obtain certificates from DigiCert or GlobalSign.

like image 111
Dmitri Gaikovoi Avatar answered Oct 22 '25 02:10

Dmitri Gaikovoi



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!