Simplify certificate management of on-prem IIS server with Azure Arc & Azure Key Vault VM extension

One common question which I’ve come across is certificate management for web servers. Usually when servers are hosted on Azure there are ways like storing certificates and secrets in Azure Key vault is a viable solution. I’ve come across customers who’re running servers in hybrid and few servers would still remain on-premises because of dependencies. For these web servers managing certificates is a costly affair. Common practice which I’ve seen is admin sharing the certificate with application team on some file share. This has few disadvantages.

Storing the certificate in file share or on email.
Based on the number of application team a lot of team gets access to certificates.
Manually applying updated certificates once the expiry is near also finding which all servers this certificate is being used is a pain if you’ve a big environment with lots of web service.

One better way to handle this scenario is to Store certificate in Azure Key vault centrally and Arc Enable the web server. One last step which will do the magic is Azure Key vault VM Extension. Which can be enabled on Arc Server as extension.

This setup provides the advantages below.

All the certificates are stored centrally in Azure Key Vault which is protected.
No application team has got manual access to certificates, on-prem server will pull the certificate based on the managed identity assigned via Azure Arc.
Once the cert expiry is near Admin/app team need to just goto Azure Key Vault and update the certificate with the latest version. Azure Key vault VM Extension will pull the latest certificate and apply the same to the website.

$Settings = @{ secretsManagementSettings = @{ observedCertificates = @( "https://keyvaultname.vault.azure.net/secrets/certificatename" # Add more here in a comma separated list ) certificateStoreLocation = "LocalMachine" certificateStoreName = "My" pollingIntervalInS = "3600" # every hour } authenticationSettings = @{ # Don't change this line, it's required for Arc enabled servers msiEndpoint = "http://localhost:40342/metadata/identity" } } $ResourceGroup = "ARC_SERVER_RG_NAME" $ArcMachineName = "ARC_SERVER_NAME" $Location = "ARC_SERVER_LOCATION (e.g. eastus2)" New-AzConnectedMachineExtension -ResourceGroupName $ResourceGroup -MachineName $ArcMachineName -Name "KeyVaultForWindows" -Location $Location -Publisher "Microsoft.Azure.KeyVault" -ExtensionType "KeyVaultForWindows" -Setting (ConvertTo-Json $Settings)

For auto renewal of certificate, we’ll need to enable IIS Rebind.

This is how Arc VM Extension looks like when it’s enabled.

Assigning permission to Arc server to fetch the certificate from keyvault.
You can use access policy on Keyvault as well, it’s supported.

Versions of the certificate/new certificate can be uploaded from key vault certificate blade and looks like below.

If you’re renewing certificates and wanted to see if certificates are getting pulled down properly or not you can check error logs located here.
C:\ProgramData\Guestconfig\extension_logs\Microsoft.Azure.Keyvault.keyvaultforwindows