I’m astonished about the unacceptable shape of certificate management in Azure and integrating certificates in Azure Key Vault – Am I the only one that can't understand how this is just still happening in 2024? • The Certificate API for creating Key Vault certificates "is not published" - so we don't have that in pulumi_azure_native or even Bicep. But the Azure Classic provider has it - probably because it's "hand-written" against the API. • Importing PEM certificates is supported, but the format is very strict ◦ AKV throws an ambigious format error if the cert isn't exactly X.509 formatted with a PKCS#8 Private Key. There can't be any metadata or comments in the PEM or it will fail. F.x. a PEM acquired via Let's Encrypt needs to be mangled with before being able to upload it to Key Vault. Just look at how many customers have trouble trying to upload a PEM. • Their Certificate Order service (App Service Certificates) "can" export the certificate to Key Vault ◦ But the certificate gets created as a Base64 encoded Key Vault Secret and not a Certificate ◦ A lot of downstream services require the certificates to be a Certificate and not a Secret .. so you have to export the secret and import the PFX as a certificate totally breaking the auto-renewal feature of App Service Certificates ◦ The exported PFX doesn't have any password – which will fail when importing into downstream services many of which require PFXs to have a password (f.x. Application Gateway) • Don't get me started about integrating/importing in other Azure Services with a Key Vault using RBAC access model ◦ Documentation for various services often both say it's not supported and then also have a chapter on how to use the RBAC model ◦ Some of those documentation are even just plain wrong when talking about which RBAC roles you have to assigned to a given managed identity – i.e. saying you have to assign Key Vault Secret User when you should be assigning Key Vault Certificate User • Some services like App Services support Free Managed Certificates ◦ Creation of those have circular dependencies making it impossible to deploy in a "single run" via IaC ◦ Even newer services like Azure Container Apps also have this flaw • A lot of downstream services don't support referencing certificates in Key Vault for their SSL settings – Azure Container Apps doesn't even! How is not someone at Azure/Microsoft raising urgency on fixing this? Managing SSL certs is such a basic expectation in cloud workload management!

You might consider posting a screenshot of those details ⤴️ on Twitter/X and tagging @markrussinovich (CTO of Azure).