Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Acquire a certificate and add it to Key Vault

For the setup, you will use a custom domain on the Application Gateway. The certificate for this will be stored in the Azure Key Vault instance you created in the previous exercise and will be retrieved from there by the Application Gateway. In this exercise, for the sake of simplicity, you will use a self-signed certificate. Keep in mind that, in production scenarios, you should use a certificate issued by a trusted certification authority.

To start, you need to generate a self-signed certificate and add it to Azure Key Vault. You can use the following guidance to perform this task:

Step by step guidance

  1. To create a self-signed certificate, you will use a sample-policy.json file. To generate the file, from the Git Bash shell prompt, run the following command:

    az keyvault certificate get-default-policy > sample-policy.json
    
  2. From the Git Bash window, use your favorite text editor to open the sample-policy.json file, change its subject property and add the subjectAlternativeNames property to match the following content, save the file, and close it.

    {
        // ...
        "subject": "C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=myapp.mydomain.com",
        "subjectAlternativeNames": {
            "dnsNames": [
                "myapp.mydomain.com",
                "*.myapp.mydomain.com"
            ],
            "emails": [
                "hello@contoso.com"
            ],
            "upns": []
        },
        // ...
    }
    

    Ensure that you include the trailing comma at the end of the updated content as long as there is another JSON element following it.

  3. Replace the mydomain DNS name in the sample-policy.json file with a randomly generated custom domain name that you will use later in this exercise by running the following commands:

    DNS_LABEL=$APPNAME$UNIQUEID
    DNS_NAME=sampleapp.${DNS_LABEL}.com
    cat sample-policy.json | sed "s/myapp.mydomain.com/${DNS_NAME}/g" > result-policy.json
    
  4. Review the updated content of the result-policy.json file and record the updated DNS name in the format sampleapp.<your-custom-domain-name>.com (you will need it later in this exercise) by running the following command:

    cat result-policy.json
    
  5. You can now use the result-policy.json file to create a self-signed certificate in Key Vault.

    CERT_NAME_IN_KV=$APPNAME-certificate
    az keyvault certificate create \
        --vault-name $KEYVAULT_NAME \
        --name $CERT_NAME_IN_KV \
        --policy @result-policy.json