Simplify certificate management of on-prem IIS server with Azure Arc & Azure Key Vault VM extension
One common question which I’ve come across is certificate management for web servers. Usually when servers are hosted on Azure there are ways like storing certificates and secrets in Azure Key vault is a viable solution. I’ve come across customers who’re running servers in hybrid and few servers would still remain on-premises because of dependencies. For these web servers managing certificates is a costly affair. Common practice which I’ve seen is admin sharing the certificate with application team on some file share. This has few disadvantages.
- Storing the certificate in file share or on email.
- Based on the number of application team a lot of team gets access to certificates.
- Manually applying updated certificates once the expiry is near also finding which all servers this certificate is being used is a pain if you’ve a big environment with lots of web service.
One better way to handle this scenario is to Store certificate in Azure Key vault centrally and Arc Enable the web server. One last step which will do the magic is Azure Key vault VM Extension. Which can be enabled on Arc Server as extension.
This setup provides the advantages below.
- All the certificates are stored centrally in Azure Key Vault which is protected.
- No application team has got manual access to certificates, on-prem server will pull the certificate based on the managed identity assigned via Azure Arc.
- Once the cert expiry is near Admin/app team need to just goto Azure Key Vault and update the certificate with the latest version. Azure Key vault VM Extension will pull the latest certificate and apply the same to the website.
For auto renewal of certificate, we’ll need to enable IIS Rebind.
This is how Arc VM Extension looks like when it’s enabled.
Assigning permission to Arc server to fetch the certificate from keyvault.
You can use access policy on Keyvault as well, it’s supported.
Versions of the certificate/new certificate can be uploaded from key vault certificate blade and looks like below.
If you’re renewing certificates and wanted to see if certificates are getting pulled down properly or not you can check error logs located here.
C:\ProgramData\Guestconfig\extension_logs\Microsoft.Azure.Keyvault.keyvaultforwindows
If you’re running Azure VM similar thing can be achieved :
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-windows
Cert Rebind in IIS:
https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85
Published on:
Learn moreRelated posts
Using Sempy to Authenticate to Fabric/Power BI APIs using Service Principal and Azure Key Vault
In this blog post, the author demonstrates how to use Azure Key Vault and Azure identity to authenticate securely when working with Fabric Not...
Unlock Your Python Potential with Azure
Microsoft's appreciation for Python's versatility and developer-friendly features has led to the creation of tools and resources aimed at assi...
Azure Lab Services - Lab Plan Outage
Azure Lab Services is currently experiencing an outage that affects Lab Plans, but not Lab Accounts. This outage intermittently impacts all op...
Azure Cosmos DB Conf 2024: Accelerating Innovation in AI and Data
The fourth annual Azure Cosmos DB Conf held on April 16, 2024, was a highly anticipated event for those at the forefront of cloud data managem...
New ‘ExecutionMetrics’ event in Azure Log Analytics for Power BI Semantic Models
The Power BI integration with Azure Log Analytics just got better with the introduction of a new event - 'ExecutionMetrics'. Customers can now...
Two options for Invoice Processing in Power Platform | AI Builder or Azure Document Intelligence
If you're looking to process invoices within the Power Platform, this tutorial will provide you with valuable insights into the available opti...
Azure Communication Services May 2024 Feature Updates
The Azure Communication Services team is excited to share several new product and feature updates released in April 2024. (You can view previo...
Azure Communication Services at the European Cloud and Collaboration Summits
If you're interested in Azure Communication Services, mark your calendar for the upcoming European Cloud and Collaboration Summit from May 14-...
Why CIOs Prefer Azure DevOps for Custom Development Projects
In today's fast-paced business environment, organizations require an IT infrastructure that can deliver agility, innovation, and speed to succ...