Skip to content

Certificate Renewal & Upload Process for Azure KeyVault (with GoDaddy)

Overview

This guide explains how to renew an expiring certificate issued by GoDaddy and upload the new version into Azure Key Vault. It covers:

  • Downloading the existing private key
  • Verifying domain ownership via DNS
  • Downloading the new certificate from GoDaddy
  • Setting up OpenSSL
  • Rebuilding a new .pfx for Azure
  • Uploading into Azure Key Vault

Prerequisites

  • Access to Azure Resource Group (Key Vault, DNS Zone, FrontEndEndpoint, AppGateway Listeners)
  • Access to GoDaddy account
  • Windows PC (or Mac/Linux)
  • OpenSSL installed (steps below)

Step 1: Download Existing Certificate from Azure Key Vault

  1. Go to the Azure Portal.
  2. Navigate to the Resource Group Key Vault where the current certificate is stored.
  3. Select Certificates from the left menu.
  4. Click the current/expiring certificate.
  5. Click Download in PFX/PEM format.
  6. Select PFX.
  7. Save the file locally.
  8. No password is required during download (Azure sets a blank password by default).

Example saved filename: backup_pfx_prod-keyvault-customer-manual-cert-20250429.pfx

Step 2: Verify Domain in GoDaddy (DNS TXT Record)

  1. Log into the GoDaddy portal.
  2. Locate the pending certificate order.
  3. Choose DNS Verification as the method.
  4. Go to Azure Portal → Resource Group DNS Zone → Recordsets.
  5. Add a TXT record provided by GoDaddy:
  6. Name: @
  7. Value: GoDaddy provided TXT string
  8. TTL: 1 hour (or default)
  9. Wait 5–10 minutes for DNS propagation.
  10. In GoDaddy, click Verify.
  11. It may take up to 30 minutes, but often completes sooner.

Step 3: Download Issued Certificate from GoDaddy

  1. After verification succeeds, download the issued certificate from GoDaddy.
  2. You will receive a .zip file containing:
  3. A .crt file (e.g., 11605a734e1f33e3)
  4. A .pem file (e.g., 11605a734e1f33e3.pem)
  5. A CA bundle file (gd_bundle-g2.crt)

Extract these files locally into a folder. Example folder: Downloads_.customer.com\

Step 4: Install OpenSSL (Windows)

  1. Go to:https://slproweb.com/products/Win32OpenSSL.html
  2. Download Win64 OpenSSL v3.x Light Installer.
  3. Install OpenSSL:
  4. Accept default options.
  5. Choose Copy DLLs to OpenSSL bin during setup.
  6. Add OpenSSL to Windows PATH:
  7. Open System PropertiesEnvironment Variables.
  8. Edit Path → Add:

C:\Program Files\OpenSSL\bin

  1. Verify installation:
  2. Open Command Prompt and run:

openssl version

  • Should output OpenSSL version info.

Step 5: Extract Private Key from Existing Backup .pfx

  1. Open Command Prompt.
  2. Navigate to your downloads folder:

cd %USERPROFILE%\Downloads

  1. Extract private key:
openssl pkcs12 -in backup_pfx_prod-keyvault-customer-manual-cert-20250429.pfx -nocerts -out extracted_private.key
  • At "Enter Import Password", just press ENTER (Azure's default is blank).

  • At "Enter PEM pass phrase", create a temporary password (e.g., tempPass123).

  • (Optional) Remove passphrase to simplify later steps:

openssl rsa -in extracted_private.key -out private.key

Step 6: Combine New Certificate + Private Key into a New .pfx

  1. Build a new .pfx using the new GoDaddy cert and extracted private key:
openssl pkcs12 -export -out new_uploadable_cert.pfx -inkey private.key -in "_.customer.com\11605a734e1f33e3.crt" -certfile "_.customer.com\gd_bundle-g2.crt"
  1. When prompted:
  2. Enter Export Password → create a new password (e.g., dataforge2025!).
  3. Remember this password — you will need it when uploading to Azure.

Step 7: Upload the New Certificate to Azure Key Vault

  1. Go back to Azure Portal → Resource Group Key VaultCertificates.
  2. Choose Generate/ImportImport.
  3. Select:
  4. Method: Import
  5. Upload your new_uploadable_cert.pfx
  6. Enter the Export Password you set in Step 6.
  7. Complete upload.

Step 8: Renew certificate in FrontendEndpoint and AppGateway Listener

  1. Go to Azure Resource Group → FrontendEndpoint → Click on custom domain
  2. In Certificate/Secret Version drop-down, choose current version to update to current version.
  3. Go back to Azure Resource Group → AppGateway → Listeners -> Click on listener
  4. Select Renew or edit selected certificate → Choose a certificate from Key Vault → Select the KeyVault → Select the correct Certificate

Step 9: Final Cleanup

  • Delete or securely archive:
  • Extracted private.key
  • Temporary extracted_private.key
  • Retain new_uploadable_cert.pfx securely if needed for audit or backup purposes.

Notes

  • Always keep private keys secure.
  • Keep password logs in a secure location (such as Azure Key Vault secrets, or password manager).
  • If DNS verification TXT records were temporary, clean them up from Azure DNS.

Process Summary

Step Action
1 Download existing .pfx from Azure
2 Verify domain in GoDaddy via DNS
3 Download new cert from GoDaddy
4 Install OpenSSL
5 Extract private key from old .pfx
6 Rebuild .pfx with new cert
7 Upload to Azure
8 Renew certificate in FrontendEndpoint and AppGateway Listener
9 Cleanup private keys securely

Files/Folders You Should Expect

File/Folder Purpose
backup_pfx_prod-keyvault-customer-manual-cert-20250429.pfx Existing Azure certificate backup
_.customer.com\ Folder containing GoDaddy cert files
extracted_private.key Private key extracted from old .pfx
private.key Unencrypted private key
new_uploadable_cert.pfx Final output for Azure Key Vault upload