Generating a CSR and Installing an SSL Certificate in Microsoft Azure Key Vault
Daniel MartinezShare
Azure Key Vault is where SSL Certificates belong in a Microsoft cloud environment, because services such as App Service and Application Gateway pull from the vault rather than holding their own copies. The vault offers two routes in, and the better one is also the less obvious one.
Generating the Certificate Signing Request (CSR) inside the vault keeps the Private Key in Azure from the first moment, never existing as a loose file at all. Importing an existing Personal Information Exchange (PFX) file remains available for SSL Certificates arriving from elsewhere, and this guide covers both.
Prerequisites
You need access to the Key Vault with a role permitted to manage SSL Certificates, plus the vault itself in the same subscription as the services that will consume the SSL Certificate. Your issued files will be available in the tracking system once validation completes. View Our Tracking & SSL Management 🔗
Generating the Request Inside the Vault
Open the Key Vault in the Azure portal, select Certificates, and choose Generate/Import. Set the method to Generate, give the entry a recognizable name, and set the Certificate Authority (CA) type to a non-integrated CA, which is the option that produces a request for external issuance.
Enter the subject in distinguished name form using the Common Name (CN), for example CN=yourdomain.com, and add any additional hostnames as Domain Name System (DNS) Names. Choose RSA at 2048 bits or stronger and create the entry.
The entry appears as in progress. Open it, select the pending operation, and download the request. Submit its contents when placing your order and complete validation as normal. Learn About the Validation Procedure 🔗
Merging the Issued SSL Certificate
Once issued, download your SSL Certificate together with the ca-bundle of Intermediate Certificates from the Certificate Authority (CA). Combine them into one file with your SSL Certificate first, since merging the fullchain is what lets the vault hand consumers a complete chain. Learn About Intermediate Certificates 🔗
Return to the in progress entry, open the pending operation again, and choose Merge Signed Request, providing the combined file. The entry status changes to enabled, now pairing the issued SSL Certificate with the Private Key that never left the vault.
Warning : Deleting or cancelling the pending operation before merging destroys the Private Key, and the issued SSL Certificate can never be merged afterward. If an operation has been cancelled, generate a fresh request and complete a reissue rather than attempting recovery.
The merge path covers SSL Certificates born in the vault. Material arriving from outside takes the second route.
Importing an Existing PFX Instead
When the SSL Certificate and Private Key already exist outside Azure, build a PFX container first, including the chain, then import it.
openssl pkcs12 -export -inkey yourdomain.key -in yourdomain.crt -certfile yourdomain.ca-bundle -out yourdomain.pfx
On the Certificates page choose Generate/Import with the method set to Import, upload the PFX file, and provide its password. The vault unpacks the container and stores the contents under the entry name.
Binding to an App Service
Within the App Service, open the SSL Certificate settings and add an entry sourced from Key Vault, selecting the vault and the entry. Azure requires the App Service to hold read access to the vault, and the portal offers to grant it during this step when missing.
Then add a binding under the custom domains section, pairing your hostname with the imported entry as a Server Name Indication (SNI) binding. The site serves the new SSL Certificate as soon as the binding saves.
Verifying the Installation
Browse to the hostname and confirm the SSL Certificate details, then run an external scan to confirm the full chain reaches fresh clients, which validates that the merge or PFX included the ca-bundle. Trustico® provides free checking tools for this confirmation. Explore Our Trustico® SSL Tools 🔗
Troubleshooting Common Installation Problems
A merge rejected as not matching means the file belongs to a different request than the pending operation, often because the operation was recreated after submission. A reissue against the current request resolves it. Learn About Reissuing Your SSL Certificate 🔗
A PFX import rejected over its password means the password does not match this specific file, and PFX passwords cannot be recovered. Rebuild the container with a fresh export when the password is lost.
An App Service that cannot see the vault entry lacks vault permissions. Grant the App Service identity read access to secrets and SSL Certificates on the vault and retry.
Professional Installation Assistance
Azure environments layering vaults, managed identities, and multiple consuming services reward careful setup.
Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf. Discover Our Premium Installation Service 🔗
