Azure - can't read the private key or the cert is not valid

Hi, I have SSL certificates that I want to put as key vault but when I try to import those, it says it can’t read the private key or the cert is not valid. why does it happen? should the ssl certificates be in a specific format? thanks

Certificates would usually come with either public key in a *.cer format.

Some of them you need to export with the private key, usually in a *.pfx type that will also be accompanied by a password.

I dont save my certs in kv, but rather in azure devops but i do get them with pfx and password and then using a “download secure file” and az cli / azure powershell apply them to the webapp

I have moved the majority of my certs to come form LetsEncrypt and to be placed into a KV. All the webapp / function/ frontdoor instances that use them they are configured (through bicep / ARM) to pick up the certificate automatically. This way certificate renewal is straightforward and there is no requirement for Azure DevOps to know anything about ther certificate details.

The relevant KV will certify ther certificate when its being uploaded, I would guess you have an incorrect KV certificate reference somewhere.

Those are self signed SSL certificates, is that any requirements in terms of certificates that can be uploaded to KV?

I have never uploaded a self signed cert into a KV, but I do not see why not. Or you can use the KV to generate the self signed cert itself.

how do you save the certs in azure devops?

Add the binary file (use a PFX file)
add the password as a variable in the pipeline or via group variable. ALWAYS select the lock to hide it. (make sure you keep a copy in a VERY SECURE SPACE, we are talking about your SSL Afterall).

In the pipeline you use

Select the secure file from the list box and i suggest you give it a name at the bottom. This will allow you to use $(mycert.secureFilePath) to point to where the file is downloaded locally on the agent in what ever command you need to use after wards.

Ok but how do you manage when the certs expire?

I upload the new one a month before. Ms does offer (preview) a managed certificate - if you want to go full “certificate as a service”.

MS also has documentation how to do rotation of certs in KV but i havent used it myself as the projects i maintain get their own certificates via another service