One common question which I’ve come across is certificate management for web servers. Usually when servers are hosted on Azure there are ways like storing certificates and secrets in Azure Key vault is a viable solution. I’ve come across customers who’re running servers in hybrid and few servers would still remain on-premises because of dependencies. For these web servers managing certificates is a costly affair. Common practice which I’ve seen is admin sharing the certificate with application team on some file share. This has few disadvantages.
One better way to handle this scenario is to Store certificate in Azure Key vault centrally and Arc Enable the web server. One last step which will do the magic is Azure Key vault VM Extension. Which can be enabled on Arc Server as extension.
This setup provides the advantages below.
$Settings = @{
secretsManagementSettings = @{
observedCertificates = @(
"https://keyvaultname.vault.azure.net/secrets/certificatename"
# Add more here in a comma separated list
)
certificateStoreLocation = "LocalMachine"
certificateStoreName = "My"
pollingIntervalInS = "3600" # every hour
}
authenticationSettings = @{
# Don't change this line, it's required for Arc enabled servers
msiEndpoint = "http://localhost:40342/metadata/identity"
}
}
$ResourceGroup = "ARC_SERVER_RG_NAME"
$ArcMachineName = "ARC_SERVER_NAME"
$Location = "ARC_SERVER_LOCATION (e.g. eastus2)"
New-AzConnectedMachineExtension -ResourceGroupName $ResourceGroup -MachineName $ArcMachineName -Name "KeyVaultForWindows" -Location $Location -Publisher "Microsoft.Azure.KeyVault" -ExtensionType "KeyVaultForWindows" -Setting (ConvertTo-Json $Settings)
For auto renewal of certificate, we’ll need to enable IIS Rebind.
This is how Arc VM Extension looks like when it’s enabled.
Assigning permission to Arc server to fetch the certificate from keyvault.
You can use access policy on Keyvault as well, it’s supported.
Versions of the certificate/new certificate can be uploaded from key vault certificate blade and looks like below.
If you’re renewing certificates and wanted to see if certificates are getting pulled down properly or not you can check error logs located here.
C:\ProgramData\Guestconfig\extension_logs\Microsoft.Azure.Keyvault.keyvaultforwindows
If you’re running Azure VM similar thing can be achieved :
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-windows
Cert Rebind in IIS:
https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85
Visit my Blog: https://www.azuredoctor.com/
Public blogpost: https://www.azuredoctor.com/posts/arc-keyvault/
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.