Use AzureRMAppGWCert to list certificate details of Azure App Gateway

  • Article

Authors: Daniel Mauser and Victor Santana

Introduction

Here is Daniel again and it's been a while I don't publish a blog here. The main reason for my absence is I moved my to a new role as Support Escalation Engineer in Microsoft Support called Azure Rapid Response or ARR. I've been working in few Azure Networking cases and today I would like to present a new module worked by ARR  team to make possible to list and visualize certificates imported in Azure Application Gateway (AppGW).

Quick overview about Application Getaway certificates.

There are two types of certificates that can be used by Application Gateway.

  • HTTP Listener certificate - This is PFX certificate you import to have your TLS/SSL connection to Application Gateway. This certificate includes private key of the certificated (basically the same kind of certificate you use on your web server).
  • Backend Certificates - This is the certificate which contains public key and you use .CER format to upload the certificate which Application Gateway needs to reach the backend.
    More information about AppGW certificates see: Create an application gateway with SSL termination

Why we created this PowerShell Module?

The main reason we created is there's no way at this time to list in printable format, either via Portal or PowerShell, certificate information once imported to Application Gateway.  We've seen couple customer creating support incident cases where they were unable to determine which certificate has been correctly uploaded to Application Gateway. Here is an example inside Listeners blade:

*Note: PowerShell AzureRM command Get-AzureRmApplicationGateway lists all configuration and certificate information is encoded as base64.

How this module works?

This module incorporates an application function to convert base64 format in certificate printable format by using: [System.Security.Cryptography.X509Certificates.X509Certificate2]([System.Convert]::FromBase64String.

See: X509Certificate2 Class for more information.

*Note1: Keep in mind this is PowerShell Module that is not officially support by Microsoft.

*Note2: This module may be incorporated in future releases of official AzureRM and while is not there yet you can leverage this module. Once that happens we will update this blog post to let you know.

How to use AzureRMAppGWCert module?

AzureRMAppGWCert module has been published in PSGallery and ready available to you and customers. See output example and other details below (extracted from GitHub):

AzureRMAppGWCert
Powershell Module to list all certificates from an Azure Application Gateway.

Prerequisite

This module requires you have AzureRM installed. Please refer to the following instruction before you proceed: Install and configure Azure PowerShell.

How to Install

This Module is Published at https://www.powershellgallery.com/packages/AzureRMAppGWCert
In order to install just open the powershell as Administrator and type:
Install-Module AzureRMAppGWCert
Import-Module AzureRMAppGWCert

Example: Listing all digital certificates associated with a single Application Gateway:

This Module will list all certificates associated with Application Gateway and generate an output like this:
PS C:\> Get-AzureRMAppGWCert -RG OfficeClient -AppGWName AppGateway

  AppGWName : AppGateway
 ListnerName : appGatewayHttpListener
 Subject : CN=*.hepoca.com, O=Hepoca Armarios e Servicos Ltda - EPP, L=Taguatinga, S=Distrito Federal, C=BR
 Issuer : CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
 SerialNumber : 0E99D5E2EBBE329CFE2DDE29C1D7D343
 Thumbprint : 5FD6F2A7BC4BD095198AE55D1A0A76D46365C6B9
 NotBefore : 3/13/2017 7:00:00 PM
 NotAfter : 5/2/2018 7:00:00 AM

 AppGWName : AppGateway
 ListnerName : HTTPs8080
 Subject : CN=*.hepoca.com, O=Hepoca Armarios e Servicos Ltda - EPP, L=Taguatinga, S=Distrito Federal, C=BR
 Issuer : CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
 SerialNumber : 0E99D5E2EBBE329CFE2DDE29C1D7D343
 Thumbprint : 5FD6F2A7BC4BD095198AE55D1A0A76D46365C6B9
 NotBefore : 3/13/2017 7:00:00 PM
 NotAfter : 5/2/2018 7:00:00 AM

 AppGWName : AppGateway
 HTTPSetting : appGatewayBackendHttpSettings
 RuleName : rule1
 BackendCertName : webjson-pub
 Subject : E=a@a.com, CN=webjson.arr.local, OU=Arr, O=ARR, L=Irving, S=TX, C=US
 Issuer : E=a@a.com, CN=webjson.arr.local, OU=Arr, O=ARR, L=Irving, S=TX, C=US
 SerialNumber : 00B1722AB4D0FB8CAA
 Thumbprint : 573C70769A40CF4D01769926A212009598462436
 NotBefore : 11/28/2017 12:45:23 PM
 NotAfter : 11/28/2018 12:45:23 PM
Pratical Examples:
  1. This Example will get all Azure Application Gateways and list all certificates associated with all of them:
    Get-AzureRMAppGWCert
  2. Listing Application Gateway Certificates in a Resource Group:
    Get-AzureRMAppGWCert -RG <Resource Group Name>
  3. This Example will list all certificates associated with a specific Application Gateway:
    Get-AzureRMAppGWCert -RG <Resource Group Name> -AppGWName <Application Gateway Name>
  4. Listing all Application Gateway Certificates and exports all of them to certificate .cer format.
    Get-AzureRMAppGWCert -Export
  5. Listing all Application Gateway Certificates and show all details (all certificate attributes).
    Get-AzureRMAppGWCert -Details

Demo

Conclusion

In this article we described a new AzureRMAppGWCert Powershell module that can be used to list digital certificates used in your Azure Application Gateway. We hope this module is useful and help you better to manager digital certificates on Azure Application Gateway.