Configuring App Service Certificate in Application Gateway
Published Apr 01 2024 04:04 AM 1,285 Views

Application gateway allows you to have an App Service app as a backend pool member with a custom domain.


You can use App Service Certificate or a Third Party Certificate to configure the custom domain. The next steps in the blog will guide you on how to download and export App Service Certificate with private key and upload in Application Gateway. Below are the steps:


Note: Downloading the App Service Certificate and uploading to App Gateway manually would require you to manually upload the renewed certificate in future.


  1. Download the certificate:
  • Once the App Service Certificate is created and verified , follow the below steps to export the certificate:
  • Go to App Service Certificate > KeyVault where the certificate is stored.
  • Key Vault > Objects > Secrets > Select the secret where the certificate is stored:




  • Go to Secret and open the recent version and download certificate.




2. Import the certificate:


  • Once the certificate is downloaded you can import the certificate to the Certificate store and export with Private Key:
  • While installing you can make sure to mark this checkbox below:




3. Export the Certificate


  • Export the certificate by going to Certificate Manager > Navigate to the certificate > All Tasks > Export


  • Click on Yes , Export the private key:


  • Select the file Format as (.PFX):



  • In the next step you can input the desired password and make sure to select the encryption type as TripleDES-SHA1 and export the certificate:



4. Once the certificate is exported and saved. You can configure an Application Gateway by following this document : Manage traffic to App Service - Azure Application Gateway | Microsoft Learn


5. The App Service Certificate you exported would need to be added in the Listener you created . Below are the steps for the same:


Open the “Listeners” section and choose “Add listener” or click an existing one to edit:





  • Lastly , make sure the DNS is updated with the Application Gateway IP.


7. The certificate can be directly uploaded to the Application Gateway or can be uploaded to KeyVault and accessed via the Application Gateway using the below setting while adding a HTTP Listener:




8. Application Gateway supports referencing secrets from Key Vault, but only through non-portal resources like PowerShell, the Azure CLI, APIs, and Azure Resource Manager templates (ARM templates). For more information you can refer this document : TLS termination with Azure Key Vault certificates | Microsoft Learn.


More Information:



If you have any other questions, feel free to comment below!


Version history
Last update:
‎Apr 03 2024 10:12 AM
Updated by: