Mark Wragg

DevOps Engineer and PowerShell fanatic. IT Contractor / Consultant. Director @ MPFE Consultancy Ltd.

The maximum valid lifetime of SSL certificates is being significantly reduced over the next few years, so there’s never been a better time to automate your certificate management. In Azure SSL certificates can be used in lots of different places, some of which are easier to manage than others, and you may already have a degree of automation in place. But by 2029 SSL certificates will have a maximum lifetime of 47 days, so automation will be essential to ensure you can continue to keep services running without disruption, and without significant overhead on the team or teams that manage and maintain your infrastructure.

In this blog post we’ll explore some of the different areas of Azure that utilise SSL certificates and how you might consider automating them.

The reduction of the maximum valid lifetime of public SSL is being implemented in the following phases:

  • Until March 14th 2026: Max 398 days (This is/was effectively 13 months, and has been the standard since September 2020)
  • From March 15th 2026: Max 200 days
  • From March 15th 2027: Max 100 days
  • From March 15th 2029: Max 47 days

This means that by 2029 SSL certificates will need to be renewed nearly 8 times per year. What’s also worth noting is that if you renew your SSL certificates before the March 14th 2026 deadline (and get the maximum 398 days), there will be no value in renewing those certificates again until after October 2026, as you’ll otherwise get a certificate with a shorter validity than you already have.

If this isn’t something you’ve thought much about up to now, a good first step would be to document everywhere in your infrastructure that currently use SSL certificates. Some of the resource types to consider include:

  • App Service
  • Application Gateway
  • Front Door
  • AKS Ingress
  • API Management
  • Virtual Machines (VMs) or ScaleSets (VMSS) running webserver technologies such as IIS, NGINX or Apache Tomcat
  • Service Fabric

Azure Key Vault

Azure Key Vault is the recommended resource to use in Azure for provisioning, managing and deploying SSL certificates. Many other resources in Azure are designed to consume certificates directly from Key Vault.

There are a few ways to get your certificates in to Key Vault:

  1. Import an SSL certificate you’ve generated via an external provider
  2. Generate a CSR (Certificate Signing Request) via Azure Key Vault which you can then use to complete a certificate request via an external provider
  3. Use one of the partnered CA providers to generate and import the certificate directly. This requires having an account with either Digicert or Globalsign and providing your credentials for these within the Key Vault.

When you upload a certificate into Key Vault, it imports various properties including the valid from and valid to dates, which you can then use to monitor the validity of your certificates (such as by configuring alerts in Azure Monitor). When a certificate is generated by Key Vault, you configure an email notification to be sent when a certain percentage of the certificates lifetime has been consumed. You can setup the same for imported certificates, by configuring “Certificate Contacts” on the Key Vault, and going to the Issuance Policy settings of the certificate to configure the percentage you want to be notified at. By default this is 80%.

Automating the generation of your certificates will depend on your certificate provider. There is a standard protocol for certificate renewal automation called ACME (Automated Certificate Management Environment) and a number of tools that can be implemented to automate the process with a variety of providers (including Lets Encrypt, which provides free public SSL certificates). Tools include:

  • Posh-ACME: A PowerShell module and ACME client to create publicly trusted SSL/TLS certificates from an ACME capable certificate authority such as Let’s Encrypt.
  • win-acme: A Windows-focused ACME client (WACS) that can be scripted to manage certificate renewal, particularly for IIS and Azure-hosted workloads.
  • az-acme): A specialized CLI designed to integrate ACME issuers (like Let’s Encrypt) directly with Azure Key Vault, storing certificates and enabling auto-rotation.
  • EZCA: A dedicated Azure-native tool for automating certificate renewal across various Azure services, including support for Key Vault auto-rotation.
  • Certbot: While general-purpose, Certbot can be used with hook scripts to renew certificates and push them to Azure resources.

App Service

Azure App Service allows you to create a free managed SSL certificate, and if you do so this is fully managed by the App Service and automatically renewed. If you instead provide your own SSL certificate, you can either upload this directly into App Service, or import it from a Key Vault. The latter is recommended, as its then easier (per the above) to monitor and manage your certificate in Key Vault. When you update the certificate entry in Key Vault, App Service automatically syncs the new version with 24 hours and without downtime. You can also trigger a manual sync within App Service.

Note when targetting the certificate in Key Vault you must use the non-version specific URL. Doing so will ensure it always pulls the latest certificate.

Application Gateway

Front Door

AKS Ingress

API Management

Virtual Machines or ScaleSets

Service Fabric

Updated:

Comments

You May Also Enjoy

Learning Python via PowerShell

17 minute read

PowerShell and Python are powerful programming languages with many similarities. While PowerShell is technically a shell scripting language (like Bash), functionally it has a lot more in common with Python, and can be used to generate scripts of equal complexity. As someone with a strong familiarity with PowerShell, I’m finding it useful as I learn Python to reference the equivalent concepts in PowerShell.

Well-architect your Azure Terraform with PSRule

11 minute read

This blog post is part of the Azure Spring Clean 2025 community event, promoting well-managed Azure tenants. In last year’s Azure Spring Clean, Dan Rios blogged about using PSRule for Bicep code. The focus of this blog post is on how you can use PSRule to validate Azure resources deployed via Terraform by HashiCorp.

How I became a (PowerShell) millionaire

14 minute read

There was a recent trend on Twitter/X where people were sharing whether they spent more time tweeting or coding, which you can discover for yourself through this tool. Apparently I spent 61% more time tweeting than coding (in public anyway), and while I was pondering whether or not that was a good thing, Doug Finke came to this excellent conclusion: