There is a strange gap in the documentation for Azure Application Gateways around that famous Microsoft afterthought, SSL offload. Specifically, I am talking about what to do when an SSL certificate expires which if you are following best practices will be every year or two.

The general advice is to perform a rip and replace of the listener, which is a downtime inducing event on not really practical in a busy production environment. Luckily we can remedy the issue with no outage with a few lines of PowerShell, but it would be nice if Microsoft would put this in the portal for all to use freely!

The Script

The Powershell to achieve the replacement is simple and looks like this:

First, we grab our Application Gateway and pop it into a variable. Next, we grab our certificate and do the same. One important note here is the Certificate Name MUST match the name of the certificate attached to your Application Gateway (you can find the name in the portal and in the resource explorer). Finally, we commit the change to our Application Gateway, a process that will take around 15 minutes so do not panic!


Use this code at your own risk. It is provided without warranty, guarantee and if used incorrectly could hose all your backups and this would not be my fault!