Retrieve/recover cert pfx from Azure Application Gateway

Question

I want to retrieve/download the original pfx certificate that was uploaded onto our Application Gateway.

So far I have done the following in PowerShell:

$appGw = Get-AzApplicationGateway -Name "appgatewayname" -ResourceGroupName "appgatewayresourcegroup"

$certs = Get-AzApplicationGatewaySslCertificate -ApplicationGateway $appGw

$certBase64 = $certs[0].PublicCertData
$certBytes = [System.Convert]::FromBase64String($certBase64)

[io.file]::WriteAllBytes("C:\directory\newcert.pfx", $certBytes)

However, it doesn't seem to be a valid certificate, especially when I try to upload it onto our KeyVault.

Is anyone familiar, and is this even possible? Should I use the Data property instead of the PublicCertData?

Answer 1

.pfx file can't be retrieved after you uploaded it to an application gateway listener. I have checked Azure resource explorer, there is no API provided by Azure to retrieve it. And I also double-checked with the Azure product team.

Though seems we can use Get-AzApplicationGatewaySslCertificate PS command to get certs, but actually, it provides you with PublicCertData only, there is no PrivateCertData of .pfx file. I also have tested on my side, the value of Data property is empty.

So if you want to upload this .pfx file to Azure KV, I am afraid the only way is uploading the original pfx certificate to Azure KV directly.