Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,381 questions
How to import SSL cert from KeyVault when it's a secret, not a cert?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 97%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENF%3C/text%3E%3C/svg%3E)
NICHOLAS FLEETWOOD
0
Reputation points
I purchased an ssl cert through Azure.
it seems ok when i view the details of the cert. As in,
--Its successfully imported to the KeyVault
--Domain Ownership was verified
--Cert ready to use in App Service
I would, in theory, follow these instructions:
Click the App Service option on the left side of the page.
- Click the name of your app to which you want to assign this certificate.
- In the Settings, Click Custom domains and SSL.
- In the certificates section, click Import Certificate and select the Certificate that you just purchased.
- In the ssl bindings section of the SSL Settings tab, use the drop downs to select the domain name to secure with SSL, and the certificate to use.
Click Save to save the changes and enable SSL.
Now, I tried to go "Custom Domains>>...[www.mysite.com]>>update binding" and i cannot find the cert there.
But i wasnt confident in that approach anyways.
Next, I tried "Certificates>>Bring your own...>>Add certificate" and in blade, "Source>>Import from KeyVault>>Select KeyVault Certificate". The blade switches, where I choose "Subscription>>[my keyVault]>>___" and then there are no certificates to select from.
After looking into the keyVault and the cert, i realized that the cert isn't stored as a cert in the keyVault, but as a "secret", which may be why it's not appearing in the drop down?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 26%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
Janaki Kota 710 Reputation points Microsoft Vendor2025-02-18T14:00:32.43+00:00 Hello @NICHOLAS FLEETWOOD,
Thank you for posting your query in Microsoft Q&A.
We understand that you are trying to import SSL certificate from Key Vault where it is stored as a secret, not as a certificate.
Usually, when a Key Vault certificate is created, an addressable key and secret are also created with the same name. The Key Vault key allows key operations, and the Key Vault secret allows retrieval of the certificate value as a secret. The identifier and version of certificates are similar to those of keys and secrets.
When a Key Vault certificate is created, it can be retrieved from the addressable secret with the private key in either PFX or PEM format. The policy that's used to create the certificate must indicate that the key is exportable. If the policy indicates that the key is non-exportable, then the private key isn't a part of the value when it's retrieved as a secret.
In this scenario, if the SSL certificate is stored as a secret in Azure Key Vault, it won't appear in the Import from Key Vault dropdown in the Azure App Service configuration, because App Service specifically looks for certificates, not secrets.
Azure Key Vault distinguishes between secrets and certificates. Secrets are just key-value pairs, often used for things like API keys, passwords, or configuration settings. In contrast, certificates in Key Vault are specifically designed to store cryptographic certificates (like a .pfx file), and those are what App Service expects for SSL bindings. To resolve this further, you need to re-upload the certificate and once the certificate is in the certificate section of Key Vault, you can use it in your App Service for SSL bindings.
Sharing relevant document for more information: https://learn.microsoft.com/en-us/azure/key-vault/certificates/tutorial-import-certificate?tabs=azure-portal
Hope this helps. Do let us know if you any further queries.
-
Janaki Kota 710 Reputation points Microsoft Vendor
2025-02-19T11:56:55.2866667+00:00 Hello @NICHOLAS FLEETWOOD,
Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
-
Janaki Kota 710 Reputation points Microsoft Vendor
2025-02-20T10:14:34.0466667+00:00 Hello @NICHOLAS FLEETWOOD,
Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Sign in to comment
Sign in to answer