Azure Application Gateway SSL Chain of trust issue

/ By / Category: Azure

I had an issue recently with an Azure Application Gateway. The HTTPS traffic was being routed correctly and the SSL Certification was working fine. When viewed through a browser there didn’t seem any problem with the application, a quick server test however revealed an issue with the SSL certificate chain of trust being incomplete.

The same check on a URL that was routed directly to the server, not via the Azure resource, didn’t highlight this issue. This meant that the problem had to be with the Application Gateway.

When setting up an Application Gateway to process HTTPS (Port 443) traffic, there is little in the way of SSL configuration. A PFX Certificate, probably the same as that being used in the Backend Pool or your IIS instance on your server, is uploaded or selected and that is that.

Problem

After a fair bit of fiddling around and searching, I came across the problem. The chain of trust isn’t always exported with a PFX Cert. I had exported the SSL Cert in question from the IIS Server Certificates pane, which worked in the App Gateway but didn’t contain the chain of trust required for a more in depth check.

Solution

The solution is to export your PFX in such a way that you can ensure that the chain of trust is preserved. You do this though the mmc console, if you’ve ever installed an SSL Cert you’ll be familiar with this process. Digicert have documented the process, which makes complete sense. https://www.digicert.com/kb/ssl-support/certificate-pfx-file-export-import-iis-10.htm