Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Java on ASA Enterprise

Acquire a certificate and add it to Key Vault

You now have Spring Apps service redeployed into a virtual network with a private DNS zone providing its name resolution. This configuration allows microservices to communicate with each other within the virtual network. However, to make the corresponding apps accessible from the internet, you need to implement a service that exposes a public endpoint. You will use for this purpose Azure Application Gateway. To accomplish this, you will also need to make sure that the domain name associated with the endpoint is the same as the name that Application Gateway uses to direct the traffic to the Azure Spring Apps back end. This is required in order for cookies and generated redirect URLs to work as expected.

To configure this, you need to set up a custom domain name and generate a corresponding certificate for Azure Spring Apps. The certificate will be stored in the Azure Key Vault instance you created in the previous exercise and will be retrieved from there by your apps. In this exercise, for the sake of simplicity, you will use a self-signed certificate. Keep in mind that, in production scenarios, you should use a certificate issued by a trusted certification authority.

To start, you need to generate a self-signed certificate and add it to Azure Key Vault. You can use the following guidance to perform this task:

Step by step guidance

  1. To create a self-signed certificate, you will use a sample-policy.json file. To generate the file, from the Git Bash shell prompt, run the following command:

    az keyvault certificate get-default-policy > sample-policy.json

  2. From the Git Bash window, use your favorite text editor to open the sample-policy.json file, change its subject property and add the subjectAlternativeNames property to match the following content, save the file, and close it.

    {
    // ...
    "subject": "C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=myapp.mydomain.com",
    "subjectAlternativeNames": {
        "dnsNames": [
            "myapp.mydomain.com",
            "*.myapp.mydomain.com"
        ],
        "emails": [
            "hello@contoso.com"
        ],
        "upns": []
    },
    // ...
}

    Ensure that you include the trailing comma at the end of the updated content as long as there is another JSON element following it.

  3. Replace the mydomain DNS name in the sample-policy.json file with a randomly generated custom domain name that you will use later in this exercise by running the following commands:

    DNS_LABEL=springappsdns$UNIQUEID
DNS_NAME=sampleapp.${DNS_LABEL}.com
cat sample-policy.json | sed "s/myapp.mydomain.com/${DNS_NAME}/g" > result-policy.json

  4. Review the updated content of the result-policy.json file and record the updated DNS name in the format sampleapp.<your-custom-domain-name>.com (you will need it later in this exercise) by running the following command:

    cat result-policy.json

  5. You can now use the result-policy.json file to create a self-signed certificate in Key Vault.

    CERT_NAME_IN_KV=openlab-certificate
az keyvault certificate create \
    --vault-name $KEYVAULT_NAME \
    --name $CERT_NAME_IN_KV \
    --policy @result-policy.json