Binding Web App to SSL certificate hosted in Key Vault in other subscription

Category: azure key vault


LZandman on Thu, 03 Aug 2017 08:40:58

We have a tenant that contains multiple subscriptions. In Subscription A I've created a Key Vault and added a SSL certificate. In Subscription B I've created a Web App and added a custom domain to it. Now I want to bind the SLL cert, that's hosted in the other subscription, to this web app. However, this doesn't seem to work. The ARM deployment always gives me the following error:

"The parameter Properties.KeyVaultId has an invalid value." (ExtendedCode": "51008")

I've tried regular ARM deployment using the New-AzureRmResourceGroupDeployment cmdlet and I've also tried the same using ArmClient. Both fail. Also, the portal doesn't seem to offer a way to do this.

Note that my ARM template works fine when I refer to a certificate hosted in a Key Vault that's provisioned in the same subscription as my Web App. The problem seems to be that you cannot use/refer to a Key Vault that resides in a different subscription.

Does anyone know if it is possible to bind certificates hosted in a Key Vault in Subscription A to a Web App that's hosted in Subscription B?


Iain Shepherd2 on Tue, 24 Oct 2017 04:07:57

It is a limitation. "This Key Vault needs to be in the same subscription as your web app"

I am asking our Microsoft contact in case there is a workaround.