Skip to content

Commit bb83eaf

Browse files
PRMerger4PRMerger4
authored
Merge pull request #183509 from JackStromberg/patch-34
Adding tip to docs to force certificate rotation
2 parents b82ee38 + b772849 commit bb83eaf

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

articles/application-gateway/key-vault-certs.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,10 @@ Application Gateway integration with Key Vault offers many benefits, including:
3131

3232
Application Gateway currently supports software-validated certificates only. Hardware security module (HSM)-validated certificates are not supported.
3333

34-
After Application Gateway is configured to use Key Vault certificates, its instances retrieve the certificate from Key Vault and install them locally for TLS termination. The instances poll Key Vault at four-hour intervals to retrieve a renewed version of the certificate, if it exists. If an updated certificate is found, the TLS/SSL certificate that's currently associated with the HTTPS listener is automatically rotated.
34+
After Application Gateway is configured to use Key Vault certificates, its instances retrieve the certificate from Key Vault and install them locally for TLS termination. The instances poll Key Vault at four-hour intervals to retrieve a renewed version of the certificate, if it exists. If an updated certificate is found, the TLS/SSL certificate that's currently associated with the HTTPS listener is automatically rotated.
35+
36+
> [!TIP]
37+
> Any change to Application Gateway will force a check against Key Vault to see if any new versions of certificates are available. This includes, but not limited to, changes to Frontend IP Configurations, Listeners, Rules, Backend Pools, Resource Tags, and more. If an updated certificate is found, the new certificate will immediately be presented.
3538
3639
Application Gateway uses a secret identifier in Key Vault to reference the certificates. For Azure PowerShell, the Azure CLI, or Azure Resource Manager, we strongly recommend that you use a secret identifier that doesn't specify a version. This way, Application Gateway will automatically rotate the certificate if a newer version is available in your key vault. An example of a secret URI without a version is `https://myvault.vault.azure.net/secrets/mysecret/`.
3740

0 commit comments

Comments
 (0)