We're automating the creation of Azure Application Gateways for new deployments of a web app's resource group. Unfortunately AppGW doesn't seem to support Key Vault certificates directly (ref) like Azure App Service does, and it looks like the only way to add certs (at least in Powershell) is via New-AzureRmApplicationGatewaySslCertificate. That cmdlet only has a "CertificateFile" parameter, which requires a physical file path, and I'd really rather avoid having to store the cert on disk...
At the moment the we're storing both the cert and the cert's password in Key Vault, and the relevant part of the AppGW script is doing this:
- Get the cert's export password via Get-AzureKeyVaultSecret (which remains in SecureString form)
- Get the cert itself via Get-AzureKeyVaultCertificate (which also remains in secure form)
All good so far, data is stored in memory in a fairly secure format.
- Convert step 1's SecretValue to plaintext (eww) because the next step requires a plaintext string password
- Using the cert's Export method and the plaintext password, write the cert to a PFX file on disk (eww)
- Import that PFX file using New-AzureRmApplicationGatewaySslCertificate
- Create the rest of the AppGW
- Delete the PFX file
It leaves a bad taste in my mouth to have to peel off all the security from things like SecureStrings and Key Vault certificates. I know AppGW doesn't support Key Vault certificates yet but I'd settle for at least just storing this stuff in memory rather than having to write the cert to disk. Surely I'm just missing something obvious and there's a more secure method for doing this?
