← Integrations

Automated SSL certificate renewal for Azure Key Vault

Key Vault distributes certificates. It doesn't renew the ones you import.

Application Gateway, App Service, and the rest of Azure consume certificates from Key Vault and follow new versions automatically. The catch is upstream: an imported certificate is a static object, and when it renews, nothing lands in the vault until someone imports the new PFX. Every 47 days. For every certificate you bring to the vault.

CertKit centralizes certificate issuance and renewal, then imports each renewed certificate into your Key Vault via the CertKit Agent as a new version under the same name. Everything bound to the vault rolls over on its own.

Start free trial Watch demo

Built for Azure Key Vault

The pre-built Key Vault deployment template ships in your CertKit account. No scripting required.

The CertKit Agent signs in with a scoped service principal, non-interactively, and imports the renewed PFX under the certificate name you chose. Key Vault versions it, and every service bound to that certificate picks up the new version without a manual step. The PFX password handling is automatic.

The pre-built Key Vault template ships with your CertKit account. Set the vault and certificate name once. CertKit handles every renewal after that.

How to import a certificate into Azure Key Vault

The manual process, if you want to do it yourself:

  1. Get the renewed certificate as a PFX. Certificate, private key, and chain in one password-protected file. Key Vault also accepts PEM, but PFX is the path Azure tooling expects.
  2. Import it. In the portal, Key Vault → Certificates → Generate/Import → Import, upload the PFX and enter its password. Or az keyvault certificate import from the CLI.
  3. Use the same certificate name. Importing under the existing name creates a new version. A new name creates a new certificate that nothing is bound to, and the old one keeps getting served.
  4. Let the consumers roll over. Application Gateway, App Service, and anything else referencing the certificate by name follows the new version automatically. First-time bindings need the service granted access to the vault.
  5. Repeat on every renewal. This is the part that doesn't scale: the export, the password, the upload, for every certificate, in every vault, on a calendar reminder.

Every one of these steps is manual, and Key Vault won't repeat any of them for an imported certificate. With lifetimes shrinking to 47 days, the import stops being an annual chore and becomes a recurring task: eight times a year, per certificate, per vault. Miss one and the Application Gateway behind it serves an expired certificate.

At 47 days, automation is the only sustainable way to keep imported certificates current. Here's how CertKit does it.

How it works

 Your network            CertKit                 ACME CA
┌───────────────────┐     ┌──────────────────┐    ┌─────────────┐
│  ┌─────────────┐  │     │                  │    │             │
│  │Deploy Agent │◄─┼─────┤  Issue & Renew   │◄──►│             │
│  └──────┬──────┘  │     │   Certificates   │    │             │
│         │ Az API  │     │                ┌───┐  └─────────────┘
│         ▼         │     └───────────┬────│DNS│
│ ┌──────────────┐  │                 │    └───┘
│ │ Key Vault    │  │                 │
│ │ [x] Imported │  │                 │
│ │ App Gateway  │  │ ◄───────────────┘
│ │ [x] Rolled   │  │       Verify
│ └──────────────┘  │
└───────────────────┘

CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. The agent runs on any Windows host and signs in to Azure with a service principal scoped to importing certificates into the target vault. No DNS credentials in Azure, no ACME configuration anywhere.

CertKit makes what many companies struggle with much easier to manage while at the same time providing great value compared to the traditional vendors in the space.

Ben Story, Managed Services Director, RedEye Network Solutions

What CertKit handles

Setup takes about ten minutes

  1. Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
  2. Create a scoped service principal. An app registration with permission to import certificates into the target vault. No subscription-wide roles required.
  3. Install the CertKit Agent. One command on any Windows host with the Az PowerShell module. The agent runs as a background service and needs no inbound firewall rules.
  4. Add the Key Vault deployment script. The pre-built template is in your account. Set the vault name, certificate name, and service principal details. CertKit runs the import on every renewal.

See the full architecture →

Why not Key Vault's built-in renewal?

Key Vault can generate and auto-renew certificates, but only through its integrated CA partners, with per-certificate fees and a separate CA account to manage. Every other certificate, including anything from a free ACME CA, enters the vault as an import, and imports are static. Azure will happily email you that one is about to expire. It won't renew it.

CertKit closes that gap: it issues free ACME certificates via delegated DNS validation, renews them on schedule, and re-imports each renewal as a new version, so the vault's distribution machinery keeps working without the integrated CA pricing. The same renewed certificate can also deploy to the non-Azure half of your infrastructure from the same account.

Azure Key Vault is just one part of your stack

Most environments have more than one place where certificates live: IIS and Exchange on-premises, Kubernetes clusters, and the appliances in between. CertKit automates all of it from one account.

See all integrations

Start automating Key Vault certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing