Simplified management of Listeners TLS certificates

Simplified management of Listeners TLS certificates


One of the key features of Azure Application Gateway is TLS termination. Terminating TLS (HTTPS traffic) on the application gateway resource, which acts as a reverse proxy, allows you to relieve the TLS computation from the backend servers. Beyond that, its application delivery features let you carry out desired routing functions on incoming traffic, allowing you to inspect and flexibly route the traffic to the backends as needed.


You can use a single application gateway resource for multiple backend applications. This setup can typically be achieved by configuring the listeners with respective hostnames (FQDNs) [know more about multisite listeners]. The feature enables your gateway to listen to the incoming hostname in the requests and route them to the right backends as per the configured routing rules. This kind of gateway configuration would need you to work with multiple Listeners, Rules, Backend settings, Backend pools, maybe even the Custom probes, and not to mention the TLS certificates for different HTTPS listeners.
Knowing that our gateways typically have 5-6 HTTPS listeners on average, we were aware it was quite an effort to configure and manage the lifecycle of their TLS certificates. And there is a sizable number of gateways with 50+ HTTPS listeners! So, carrying out periodic management operations on your Application Gateway's listener certificates to meet company security guidelines, updating details, renewals, or revocation via Azure PowerShell or Azure CLI can be tedious for many. One of the challenges for gateways, especially with enormous configurations, was viewing, finding, and identifying the appropriate certificate from the list. Then, updating or deleting stale certificates through a series of commands added to the complexity.


To address these operational pain points for our customers, Azure Application Gateway now has an essential Listeners TLS certificate management GUI capability. It enables our Application Gateway V2 users to list and manage the listener TLS certificates through the portal experience.




The key features of this portal capability are


  1. Quick listing: This dedicated certificate section lists all the listener TLS listener certificates, their types, and their association with the listeners.

  2. Certificate information: The list shows required certificate details such as Expiry, Common Name, Thumbprint, and Issuer Name that help with easy identification during the various operational activities. Such information can also be helpful when troubleshooting data path issues.

  3. Bulk operations: The "Bulk update" menu option lets you edit the certificates in one go or recover a gateway from a failed provisioning state when facing simultaneous misconfigurations for multiple certificate objects.
    (Learn more).

  4. Hassle-free operationsYou can manage the certificates without worrying about the sub-resource dependencies or missing a command before saving the gateway. The guided experience in the portal takes care of these on your behalf.


Let us understand some of the features of the new Listener certificate management capability through a few use cases:


Case 1: Uploading a new certificate – The Application Gateway portal traditionally allowed you to create a new certificate (uploaded or referenced through Key Vault) during a listener add operation. To provide flexibility for our users, we now allow you to create a certificate separately.


  1. Go to your Application Gateway resource in the Azure portal.
  2. Go to the Listeners blade.
  3. Open the "Listener TLS certificates (preview)" tab.
  4. Select "Add a certificate".
You can upload a .PFX file directly to your application gateway or associate one already stored in your Key Vault.




Later, you can associate this certificate with any existing or new HTTPS listener.


Case 2: Renewing a certificate – For the certificates that are directly uploaded (Type: Uploaded) to your application gateway, the renewal process is as simple as re-uploading a PFX file. The certificate names you see on your application gateway resource are the objects or containers for the certificate data. By uploading an updated PFX file to an existing certificate, you are updating that certificate's contents.


Tip: Before you renew/update a certificate, verify if you have chosen the proper certificate by checking its expiration date, common name, or thumbprint. Note that a certificate not associated with a listener will not show these certificate details.


To renew an uploaded type certificate,

  1. Go to your Application Gateway resource in the Azure portal.
  2. Go to the Listeners blade.
  3. Open the "Listener TLS certificates (preview)" tab.
  4. Select the certificate name that you want to renew. 
  5. Select Edit. 
  6. Keep the Type as "Upload a certificate," choose the new PFX file from your local system and specify the PFX file password. 
  7. Select Save. 





(Note the certificate name is greyed out since this is an existing certificate object in which you can upload a new certificate file.) 


Case 3: Deleting a certificate that is associated with multiple listeners - Consider a scenario where you want to remove a certificate used by numerous HTTPS listeners, which in turn are associated with their respective rules. Earlier, in such cases, your PowerShell operation would look something like this to delete each rule, its listener, and the certificate.





#Get specific Application Gateway configuration $appgw=Get-AzApplicationGateway -Name "appgw-name" -ResourceGroupName "rg-name" #Remove Rules ##Remove rule for listener A $appgw=Remove-AzureRmApplicationGatewayRequestRoutingRule -Name "rule-A" -ApplicationGateway $appgw ##Remove rule for listener B $appgw=Remove-AzureRmApplicationGatewayRequestRoutingRule -Name "rule-B" -ApplicationGateway $appgw #Remove listeners ##Remove listener A $appgw=Remove-AzureRmApplicationGatewayHttpListener -Name "listener-A" -ApplicationGateway $appgw ##Remove listener B $appgw=Remove-AzureRmApplicationGatewayHttpListener -Name "listener-B" -ApplicationGateway $appgw #Remove cert $appgw=Remove-AzureRmApplicationGatewaySslCertificate -Name "cert-name" -ApplicationGateway $appgw #Save Application Gateway configuration $appgw=Set-AzApplicationGateway -ApplicationGateway $appgw




With this new portal functionality, you can delete such certificates with just a few clicks and clean up your application gateway resource.


  1. Go to your Application Gateway resource in the Azure portal.
  2. Go to the Listeners blade.
  3. Open the "Listener TLS certificates (preview)" tab.
  4. Select the certificate name that you want to delete.
  5. Select the Delete option (or you can use the three-dot menu option on the right of the certificate listing).

A confirmation message will show the list of affected sub-resources as shown below.






Visit our documentation to understand the available controls. The listener certificate management in the portal is still in the preview. We would love to hear your feedback and experiences. 

Published on:

Learn more
Azure Networking Blog articles
Azure Networking Blog articles

Azure Networking Blog articles

Share post:

Related posts

Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy