How can I revert back to the previous version of a certificate when renewing or uploading a new cert in application gateway if the new cert is not working or uploaded by accident

Handy, Frederick 80 Reputation points
2024-12-12T16:13:28.89+00:00

I would like to know if there is a way to use the previous version of a certificate that has been uploaded to the keyvault. Once the certificate has been uploaded to the keyvault and renewing the certificate in the Application Gateway Listener, if the certificate has been renewed and uploaded, is there a way to remove the new certificate or disable and use the previous version?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,342 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,099 questions
{count} votes

Accepted answer
  1. ChaitanyaNaykodi-MSFT 26,936 Reputation points Microsoft Employee
    2024-12-13T22:11:50.73+00:00

    @Handy, Frederick

    Thank you for your patience here.I understand you want to know if you can revert to a previous version of a certificate in Key Vault after renewing and uploading a new one to the Application Gateway Listener. Specifically, you’re asking if it’s possible to remove or disable the new certificate and use the old one instead.As you might already know and as documented here

    Application Gateway uses a secret identifier in Key Vault to reference the certificates. For Azure PowerShell, the Azure CLI, or Azure Resource Manager, we strongly recommend that you use a secret identifier that doesn't specify a version. This way, Application Gateway automatically rotates the certificate if a newer version is available in your Key Vault

    Based on the recommendation above and assuming you have not referenced a secret version, then the application gateway instances poll Key Vault at four-hour intervals to retrieve a renewed version of the certificate, if it exists. If an updated certificate is found, the TLS/SSL certificate that's associated with the HTTPS listener is automatically rotated.

    Now for your question above if a new certificate is added to Azure Key Vault and application gateway has polled this certificate, in order to revert back to older certificate following steps are recommended by the Application Gateway team

    • Disable the new version certificate (current version) added to Azure Key Vault.
    • Initiate a change (a PUT request) on Azure Application Gateway because any change to Application Gateway forces a check against Key Vault to see if any new versions of certificates are available. If an updated certificate is found, the new certificate is immediately presented. Given the older version is still enabled the Application Gateway will poll this certificate. An example of a PUT request here will be:
    Get-AzApplicationGateway -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzApplicationGateway
    

    Hope this helps! Please let me know if you have any additional questions. Thank you!


    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.