If you are configuring Azure App Gateway, you need pfx certificate to for LISTENER . You can purchase App Service Certificate from Azure as shown in the screen shot. you have to provide Name for the certificate, Domain host Name, Subscription (the certificate will work within the subscription only), Resource group

Now go to Certificate Configuration and Complete the 3 steps.

Now Go to “Export certificate” and Open the Key Vault. There you will see option to “Download as a certificate” to export the certificate. The


Now using this certificate copy you can create pfx certificate with password. When you try to apply the certificate to App Gateway LISTENER, it asks for password. That is why use the below script to generate the pfx certificate with password.

PowerShell script:

You need to provide App Certificate Name (which you created in Azure), resource group name, subscription id and azureLoginEmailId. Value for azureLoginEmailId is assigned to -UserPrincipalName in the script. Make sure you REPLACE the DISPLAYNAME with proper Azure AD user Display Name.

You can find App Certificate Name (which you created in Azure), resource group name, subscription id on the App Services Certificates –> Certificate Overview

$appServiceCertificateName = ""
$resourceGroupName = ""
$azureLoginEmailId = (Get-AzureRmADUser -DisplayName "<replace display name here>").UserPrincipalName 
$subscriptionId = ""

#login to Azure
Set-AzureRmContext -SubscriptionId $subscriptionId

#Get the KeyVault Resource Url and KeyVault Secret Name were the certificate is stored
$ascResource = Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"
$keyVaultId = ""
$keyVaultSecretName = ""

$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName

#Split the resource URL of KeyVault and get KeyVaultName and KeyVaultResourceGroupName
$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]

#Only users who can set the access policy and has the the right RBAC permissions can set the access policy on KeyVault, if the command fails contact the owner of the KeyVault
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get

#Getting the secret from the KeyVault
$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))

Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"

Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."

Write-Host "PFX password: $pfxPassword"


This will show the certificate and password as output. This pfx certificate can be now applied to App Gateway LISTENER with proper password setting.


Note: You can also use -ObjectId in case the Set-AzureRmKeyVaultAccessPolicy fails

Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -ObjectId <replace ObjectId of user> -PermissionsToSecrets get

ObjectId can be found in AAD–>Users–>find user and click on it. In profile you will find the ObjectId.