Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,416 questions
App Service Certificate (Azure issued from GoDaddy) will not import into Azure Key Vault
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 85%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBF%3C/text%3E%3C/svg%3E)
Bryan Farrell
5
Reputation points
I went through the process in Azure Portal to purchase an App Service Certificate (Azure issued from GoDaddy). This is a wildcard certificate and I've been charged the $299 USD fee for the 1-year cert so I need to get my issue resolved in Azure Portal of via CLI if possible. I will describe my issue below:
All of the following steps were done in the same subscription.
- Created a Resource Group in East US region, 'companyname-eus-vnet-global-rg'
- Created a Virtual Network in East US region, in the Resource Group and named it 'companyname-eus-vnet-global' and assigned 'default' subnet address space: '10.1.2.0/24'
- Created a Private DNS zone named 'privatelink.vaultcore.azure.net'
- Location: Global
- Recordsets: 2
- Recordset 1
- Name: @
- Type: SOA
- TTL: 3600
- Value: Email: azureprivatedns-host.microsoft.com Host: azureprivatedns.net Refresh: 3600 Retry: 300 Expire: 2419200 Minimum TTL: 10 Serial number: 1
- Auto registered: false
- Recordset 2
- Name: companyname-eus-kv-global
- Type: A
- TTL: 10
- Value: 10.1.2.4
- Auto registered: false
- Recordset 1
- Virtual Network Links: 1
- Link Name: 4gjadbqlc5kx7
- Link Status: Completed
- Virtual Network: companyname-eus-vnet-global
- Auto-Registration: Disabled
- Fallback to Internet: Disabled
- Virtual Network Links With Registration: 0
- Created a Resource Group in East US region, 'companyname-eus-kv-global-rg'
- Created a Key Vault in East US region in the Resource Group and named it 'companyname-eus-kv-global'.
- I selected Premium, with Soft-delete and Purge Protection Enabled.
- Originally it was created with permission model Azure RBAC but during trouble shooting I changed it to Key Vault access policy as was suggested by Copilot as well as in articles.
- Originally all three resource access options were disabled, though I have tried turning them all on during trouble shooting.
- Originally under Networking, for Firewall and Virtual Networks, selected Disable public access and Allow trusted Microsoft service to bypass this firewall was disabled.
- During trouble shooting, I selected Allow public access from all networks and enabled Allow trusted Microsoft service to bypass this firewall. I also tried selecting Allow public access from specific virtual networks and IP addresses and added virtual network 'companyname-eus-vnet-global' and subnet 'default'.
- Created a Private Endpoint named 'companyname-eus-kv-global-pe'
- Virtual network/subnet: 'companyname-eus-vnet-global/default'
- Network interface: 'companyname-eus-kv-global-pe-nic'
- Private link resource: 'companyname-eus-kv-global'
- Target sub-resource: vault
- Connection status: Approved
- Request/Response: -
- Provisioning State: Succeeded
- Created a Network Interface named 'companyname-eus-kv-global-pe-nic'
- Private IPv4 address: 10.1.2.4
- Attached to: 'companyname-eus-kv-global-pe (Private endpoint)'
- Type: Regular
- Accelerated networking: Disabled
- Virtual network/subnet: 'companyname-eus-vnet-global/default'
- Under Settings - DNS configuration - Customer Visible FQDNs
- Network Interface: 'companyname-eus-kv-global-pe-nic'
- IP Addresses: 10.1.2.4
- FQDN: companyname-eus-kv-global.vault.azure.net
- IP Addresses: 10.1.2.4
- Configuration name: privatelink-vaultcore-azure-net
- Private DNS zone: privatelink.vaultcore.azure.net
- DNS zone group: default
- FQDN: companyname-eus-kv-global.privatelink.vaultcore.azure.net
- IP Address: 10.1.2.4
- Network Interface: 'companyname-eus-kv-global-pe-nic'
- Created and purchased the App Service Certificate and named the resource 'companyname-eus-kv-global-sitename-com-wildcard-cert'
- Distinguished Name: CN=*.sitename.com
- Product Type: Wild Card
- Validity Period: 1 Year(s)
- Certificate Status: Issued
- In App Service Certificate, a warning showed "Configured required Key Vault store -->". Clicking on this goes to 'Certificate Status'
- Step 1: Store - No Green Check and says "Import certificate into Key Vault for secure administration."
- Step 1 is what keeps throwing an error.
- Step 2: Verify - Shows Green Check and says "Domain ownership verified"
- Step 3: Assign - Shows Green Check and says "Certificate ready to use in App Service"
- Step 1: Store - No Green Check and says "Import certificate into Key Vault for secure administration."
- Created a Key Vault in East US region in the Resource Group and named it 'companyname-eus-kv-global'.
With all of the different troubleshooting steps I've tried, I always have the same issues:
- Every time I click on 'Configured required Key Vault store -->' and it opens the 'Certificate Status' page, and I then click on Step 1: Store, I get two success notifications:
- Get certificate service principal - Successfully obtained service principal object ID.
- Get web app service principal - Successfully obtained service principal object ID.
- If I then go and click on 'Select from Key Vault', my Subscription is selected by default and then I click on 'companyname-eus-kv-global' under the resource group 'companyname-eus-kv-global-rg' and then I click on the blue Select button.
- Every time I do this, I get an error notification:
- Save Key Vault Settings - Failed to link certificate with the selected Key Vault. Check below errors for more detail.: The parameter name has an invalid value.
- Every time I do this, I get an error notification:
I have tried every suggestion that Copilot has given me and looked into every article it referenced or that I could find with a web search. Those results always mention the Key Vault security, so under Access policies, I gave the Applications "Microsoft Azure App Service" and "Microsoft.Azure.CertificateRegistration" All permissions to Certificate Permissions. I additionally gave "Microsoft.Azure.CertificateRegistration" All permissions to Key and Secret as well. I additionally gave my admin user I'm logged in with All permissions for Key, Secret and Certificate as well, which I believe should rule out permissions on the Key Vault, based on what I could find online.
At this point I am dead in the water. I have a $300 cert I cannot import into Azure so I can start using it and all self-help troubleshooting has failed to resolve the issue.
The only thing I think that may possibly be something to try is to consolidate my resource groups. I had made a separate resource group for my Virtual Network, as ideally, I'd like to manage all global vnets for the tenant from one resource group as I do intend to add more vnets for other purposes. That is the only thing I can think of that might be preventing this from working but before I go through the process of tearing down most of what I setup already and reconfiguring everything, I wanted to get some input from an Azure expert to see if there is something else I am missing that we can change to get this working.
I greatly appreciate anyone's help in this matter.
Thank you,
Bryan
Azure Key Vault
{count} votes
-
Vinodh247 32,451 Reputation points MVP2025-05-01T05:26:56.0666667+00:00 always try to keep your question short, so more people easy to read and help. It will also invite more people to contribute.
-
Bryan Farrell 5 Reputation points
2025-05-01T13:56:51.64+00:00 Vin, I am looking for the documented Microsoft business hours Support Engineers via prioritized responses. To suggest I keep my question short, about a complex technical issue that has many different Azure services involved, is frankly, laughable. I am not looking for random community members to contribute, I am looking for the "Support Engineers" to review the details I provided and determine what is broken in my Azure Tenant.
As I clearly stated, I have followed all the instructions provided online to add an App Service Certificate to my Azure Tenant and have setup an Azure Key Vault to store it. The internal Azure Portal process is not working, when following Microsoft's own documentation on how to do it.
I provided the details here so they can be reviewed by a Support Engineer and help me resolve my issue. You simply suggesting I make a short question about a complex issue that clearly needs a Support Engineer to assist is not helpful at all. I don't see why you even bothered to reply, because it helps me in no way whatsoever.
-
Vinodh247 32,451 Reputation points MVP
2025-05-01T14:36:57.84+00:00 I don't see why you even bothered to reply, because it helps me in no way whatsoever.
We would bother because this platform is our community. We help so many engineers and techies and drive the thread to closure. There is nothing to feel pissed off, i just gave you a suggestion so you can find solutions quick and easy.
I provided the details here so they can be reviewed by a Support Engineer and help me resolve my issue.
You simply suggesting I make a short question about a complex issue that clearly needs a Support Engineer to assist is not helpful at all
In that case raising a ticket directly with azure/ms support would be the best option. There is no dedicated support team looking over this forum to answer the queries.
-
Bryan Farrell 5 Reputation points
2025-05-01T15:19:52.91+00:00 In that case raising a ticket directly with azure/ms support would be the best option. There is no dedicated support team looking over this forum to answer the queries.
Fair enough. That is not at all how Azure Portal describes submitting a post Microsoft Q&A, at all. I was making my post based on how it was advertised I could get Azure Support at my subscription level, but clearly that is false information they provide.
This is how they described the Developer support tier I was on:
Business hours access to Support Engineers via prioritized responses on Microsoft Q&A 1
Versus the Standard support tier:
24x7 access to Support Engineers via email and phone
Reading that, it would seem the difference between Developer and Standard is that you post here for Developer support and dedicated "Support Engineers" would reply via prioritized responses. On the other hand, if your willing to pay the $100/month fee, you can get 24x7 access to the same 'Support Engineers" via email and phone.
It's reasonable to then believe that the same "Support Engineers" would help when we have issues, but obviously not as fast with the Developer tier.
I included details because as I said I was expected a dedicated, paid, Microsoft "Support Engineer" to review those details and help me with my issue. In that context, I would hope you could see why I felt your comment seemed a bit condescending.
That said, since they do not actually monitor this forum to answer support questions as you have said, I have upgraded my support level and submitted an actual ticket with them, which honestly should be available for situations like this, but that is out of both of our control.
Have a nice day.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 1,616 Reputation points Microsoft External Staff2025-05-02T11:33:20.3466667+00:00 Hello Bryan Farrell, Could you confirm if the App Service's Managed Identity has the necessary Key Vault access permissions for certificates, and if the DNS resolution for the Key Vault's private endpoint is functioning correctly within the Virtual Network? Additionally, have you tried re-importing the certificate into the Key Vault to verify its state?
Sign in to comment
Sign in to answer