![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 97%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHF%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,342 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Thank you for your patience here.I understand you want to know if you can revert to a previous version of a certificate in Key Vault after renewing and uploading a new one to the Application Gateway Listener. Specifically, you’re asking if it’s possible to remove or disable the new certificate and use the old one instead.As you might already know and as documented here
Application Gateway uses a secret identifier in Key Vault to reference the certificates. For Azure PowerShell, the Azure CLI, or Azure Resource Manager, we strongly recommend that you use a secret identifier that doesn't specify a version. This way, Application Gateway automatically rotates the certificate if a newer version is available in your Key Vault
Based on the recommendation above and assuming you have not referenced a secret version, then the application gateway instances poll Key Vault at four-hour intervals to retrieve a renewed version of the certificate, if it exists. If an updated certificate is found, the TLS/SSL certificate that's associated with the HTTPS listener is automatically rotated.
Now for your question above if a new certificate is added to Azure Key Vault and application gateway has polled this certificate, in order to revert back to older certificate following steps are recommended by the Application Gateway team
- Disable the new version certificate (current version) added to Azure Key Vault.
- Initiate a change (a PUT request) on Azure Application Gateway because any change to Application Gateway forces a check against Key Vault to see if any new versions of certificates are available. If an updated certificate is found, the new certificate is immediately presented. Given the older version is still enabled the Application Gateway will poll this certificate. An example of a PUT request here will be:
Get-AzApplicationGateway -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzApplicationGateway
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.