|
| 1 | +--- |
| 2 | +title: Listener SSL certificate management in Application Gateway |
| 3 | +description: Understand listener certificate management through portal. |
| 4 | +services: application-gateway |
| 5 | +author: jaesoni |
| 6 | +ms.service: application-gateway |
| 7 | +ms.topic: conceptual |
| 8 | +ms.date: 03/01/2023 |
| 9 | +ms.author: jaysoni |
| 10 | +--- |
| 11 | + |
| 12 | +# SSL certificate management for listeners |
| 13 | + |
| 14 | +Listener SSL certificates in Application Gateway are used for terminating client TLS connection at the gateway. This function is analogous to uploading a certificate on a web server to support TLS/HTTPS connections from clients/browsers. |
| 15 | + |
| 16 | +## SSL Certificate structure |
| 17 | + |
| 18 | +The SSL certificates on application gateway are stored in local certificate objects or containers. This certificate container’s reference is then supplied to listeners to support TLS connections for clients. Refer to this illustration for better understanding. |
| 19 | + |
| 20 | + |
| 21 | + |
| 22 | +Here is a sample application gateway configuration. The SSLCertificates property includes certificate object “contoso-agw-cert" linked to a key vault. The “listener1” references that certificate object. |
| 23 | + |
| 24 | +## Understanding the portal section (Preview) |
| 25 | + |
| 26 | +### Listener SSL certificates |
| 27 | + |
| 28 | +This section allows you to list all the SSL certificate objects that are present on your application gateway. This view is equivalent of running PowerShell command `Get-AzApplicationGatewaySslCertificate -ApplicationGateway $AppGW` or CLI command `az network application-gateway ssl-cert list --gateway-name --resource-group`. |
| 29 | + |
| 30 | + |
| 31 | + |
| 32 | +This page gives you a quick summary of all the certificates, their types and association with listeners. |
| 33 | + |
| 34 | +#### SSL Certificate types |
| 35 | + |
| 36 | +1. **Key Vault**: You can store your PFX certificate(s) in Azure Key Vault, which is a managed certificate storage service allowing tight access controls and much more. Learn about [integration with Key Vault](key-vault-certs.md#how-integration-works). |
| 37 | + |
| 38 | +1. **Uploaded**: Provide a PFX certificate directly to your application gateway. Requires certificate password as well. |
| 39 | + |
| 40 | +### Modifying an SSL certificate |
| 41 | + |
| 42 | +From the list view, you can select the certificate name or three-dot menu option to navigate to the Edit page. The edit option is helpful for the following use cases. |
| 43 | + |
| 44 | +* Changing the key vault association of a certificate – You can change a certificate’s reference from one key vault resource to another. When doing so, ensure the User-Assigned Managed Identity of your application gateway has sufficient access controls on the new key vault. |
| 45 | + |
| 46 | +* Renewal of an uploaded certificate – When an existing uploaded certificate is due for renewal, you can upload a new PFX file to update your application gateway. |
| 47 | + |
| 48 | +* Changing the certificate type from "key vault" to "uploaded" (or vice-versa) – You can easily transition your certificate provision from the one stored on your Application Gateway to the purpose-built Key Vault service. |
| 49 | + |
| 50 | +> [!NOTE] |
| 51 | +> A change in certificate associated with multiple listeners would reflect on all the listeners. |
| 52 | + |
| 53 | +### Deletion of an SSL certificate |
| 54 | + |
| 55 | +There are two primary scenarios when deleting a certificate from portal: |
| 56 | + |
| 57 | +1. SSL certificate without any listener association – Such certificates aren't in use by any listener and can be deleted directly. |
| 58 | +1. SSL certificate with an associated listener – Based on your application gateway’s configuration, these sub resources could be affected. |
| 59 | + |
| 60 | +| Sub resource | Impact | |
| 61 | +| ---------- | ---------- | |
| 62 | +| Certificate | The certificate itself gets deleted. | |
| 63 | +| Listener | The listener gets deleted if a certificate is associated with it. | |
| 64 | +| Rule | If a rule is associated with a listener, the listener and the rule are deleted. | |
| 65 | +| Redirection | If a redirection is configured with a rule, the associated redirection is also removed. | |
| 66 | +| Port | The port associated with the listener gets updated to reflect the new state. | |
| 67 | +| Frontend IP | The frontend IP of the gateway gets updated to reflect the new state. | |
| 68 | + |
| 69 | +#### Caveats |
| 70 | + |
| 71 | +1. You can't delete a certificate object if its associated listener is a redirection target for another listener. Any attempt to do so will return the following error. You can either remove the redirection or delete the dependent listener first to resolve this problem. |
| 72 | +`The listener associated with this certificate is configured as the redirection target for another listener. You will need to either remove this redirection or delete the redirected listener first to allow deletion of this certificate.` |
| 73 | + |
| 74 | +1. The Application Gateway requires at least one active Listener and Rule combination. You thus cannot delete the certificate of a HTTPS listener, if no other active listener exists. This is also true if there are only HTTPS listeners on your gateway, and all of them are referencing the same certificate. Such operations are prevented because deletion of a certificate leads to deletion of all dependent sub resources. |
| 75 | + |
| 76 | + |
| 77 | +## Next steps |
| 78 | +Read about |
| 79 | +- [Using Key Vault with Application Gateway](../application-gateway/key-vault-certs.md) |
0 commit comments