I’m astonished about the unacceptable shape of certificate management in Azure and integrating certificates in Azure Key Vault – Am I the only one that can't understand how this is just still happening in 2024?
• The Certificate API for creating Key Vault certificates "
is not published" - so we don't have that in pulumi_azure_native or even Bicep. But the Azure Classic provider has it - probably because it's "hand-written" against the API.
• Importing PEM certificates is supported, but the format is very strict
◦ AKV throws an ambigious format error if the cert isn't exactly X.509 formatted with a PKCS#8 Private Key. There can't be any metadata or comments in the PEM or it will fail. F.x. a PEM acquired via Let's Encrypt needs to be mangled with before being able to upload it to Key Vault. Just
look at how many customers have trouble trying to upload a PEM.
• Their Certificate Order service (App Service Certificates) "can" export the certificate to Key Vault
◦ But the certificate gets created as a Base64 encoded Key Vault Secret and not a Certificate
◦ A lot of downstream services require the certificates to be a Certificate and not a Secret .. so you have to export the secret and import the PFX as a certificate totally breaking the auto-renewal feature of App Service Certificates
◦ The exported PFX doesn't have any password – which will fail when importing into downstream services many of which require PFXs to have a password (f.x. Application Gateway)
• Don't get me started about integrating/importing in other Azure Services with a Key Vault using RBAC access model
◦ Documentation for various services often both say it's not supported and then also have a chapter on how to use the RBAC model
◦ Some of those documentation are even just plain wrong when talking about which RBAC roles you have to assigned to a given managed identity – i.e. saying you have to assign Key Vault Secret User when you should be assigning Key Vault Certificate User
• Some services like App Services support Free Managed Certificates
◦ Creation of those have circular dependencies making it impossible to deploy in a "single run" via IaC
◦ Even newer services like Azure Container Apps also
have this flaw
• A lot of downstream services don't support referencing certificates in Key Vault for their SSL settings – Azure Container Apps doesn't even!
How is not someone at Azure/Microsoft raising urgency on fixing this? Managing SSL certs is such a basic expectation in cloud workload management!