Background
I am trying to implement a WAF in font of a web app hosted in azure app service. This app is configured to force https so the WAF needs to pass through https traffic (end to end SSL as explained here https://docs.microsoft.com/en-us/azure/application-gateway/ssl-overview#end-to-end-ssl-encryption ).
I have purchased the SSL cert via the App Service Certificate Service in Azure. Binding this cert to the domain on the web app was very straightforward.
Technology
Azure Web App
Domain purchased via App Service Domains (therefore DNS is hosted in Azure DNS)
SSL cert purchased via App Service Certificates (Cert is stored in Keyvault.. Somewhere?)
Application Gateway = Sku2 with firewall enabled
Problem
The problem I am having is that when I try and create a listener for https (port 443) traffic on the Application Gateway and connect it to the SSL cert I am using for the web app (backend), it is not showing up? Furthermore I can not even see the certificate in the certificates section of the Key Vault? But the cert is applied and working with the Web App (setup as SNI). The cert is a standard (not wildcard, as no subdomains etc required).
Does anyone know why the cert isnt showing up when configuring the listener?
Does anyone know why the listener needs a managed identity? Is this the reason its not showing up because I have not setup a managed identity or something?
The goal
To use all Azure services to get this solution to work so I dont have to worry about manually updating certificates. I believe this is possible and that I am just missing something.
Any assistance with this problem is greatly appreciated!