You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: Learn how to renew a certificate associated with an application gateway listener.
4
4
services: application-gateway
5
5
author: greg-lindsay
6
-
7
6
ms.service: azure-application-gateway
8
7
ms.topic: how-to
9
-
ms.date: 01/25/2022
8
+
ms.date: 03/31/2025
10
9
ms.author: greglin
11
10
ms.devlang: azurecli
12
11
---
13
12
14
13
# Renew Application Gateway certificates
15
14
16
-
At some point, you'll need to renew your certificates if you configured your application gateway for TLS/SSL encryption.
15
+
At some point, you'll need to renew your certificates if you configured your application gateway for TLS/SSL encryption. When you renew an SSL certificate with a valid new certificate, this doesn't incur any downtime for the service.
17
16
18
17
There are two locations where certificates may exist: certificates stored in Azure Key Vault, or certificates uploaded to an application gateway.
19
18
@@ -22,9 +21,9 @@ There are two locations where certificates may exist: certificates stored in Azu
22
21
When Application Gateway is configured to use Key Vault certificates, its instances retrieve the certificate from Key Vault and install them locally for TLS termination. The instances poll Key Vault at four-hour intervals to retrieve a renewed version of the certificate if it exists. If an updated certificate is found, the TLS/SSL certificate that's currently associated with the HTTPS listener is automatically rotated.
23
22
24
23
> [!TIP]
25
-
> Any change to Application Gateway will force a check against Key Vault to see if any new versions of certificates are available. This includes, but is not limited to, changes to Frontend IP Configurations, Listeners, Rules, Backend Pools, Resource Tags, and more. If an updated certificate is found, the new certificate will immediately be presented.
24
+
> Any change to Application Gateway forces a check against Key Vault to see if any new versions of certificates are available. This includes, but is not limited to, changes to Frontend IP Configurations, Listeners, Rules, Backend Pools, Resource Tags, and more. If an updated certificate is found, the new certificate is immediately presented.
26
25
27
-
Application Gateway uses a secret identifier in Key Vault to reference the certificates. For Azure PowerShell, the Azure CLI, or Azure Resource Manager, we strongly recommend that you use a secret identifier that doesn't specify a version. This way, Application Gateway will automatically rotate the certificate if a newer version is available in your key vault. An example of a secret URI without a version is `https://myvault.vault.azure.net/secrets/mysecret/`.
26
+
Application Gateway uses a secret identifier in Key Vault to reference the certificates. For Azure PowerShell, the Azure CLI, or Azure Resource Manager, we strongly recommend that you use a secret identifier that doesn't specify a version. This way, Application Gateway automatically rotates the certificate if a newer version is available in your key vault. An example of a secret URI without a version is `https://myvault.vault.azure.net/secrets/mysecret/`.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments