How to detect expiring certificates in Azure Application Gateway

We've been on a mission lately at work to find expiring credentials and certificates in our Azure environments. One of the resources we had on our radar is Azure Application Gateway. Here's what I did to solve this problem and to enable us to be more proactive.

Updated: 2021-06-14 - Refreshed modules & script references

Requirements

  • PowerShell Az module
  • Az.ResourceGraph module v 0.10.0+

The problem

It is always stressful to have people landing at your desk, panic in their eyes because some HTTPS certificate just expired in a critical environment. Some resources in Azure are more easily detected than others. Expiring certificates in App Services can be easily detected using only Azure Resource Graph, here's the recipe if you want it. Others, like Application Gateway cannot be checked only using Resource Graph (at the moment of writing this).

The Assumption

My first reflex was to use PowerShell to call Azure Resource Graph to automate this. Basically, I want to extract all certificate information from Azure, decode it from Base64, create the certificate (X509Certificate2) in memory and check the NotAfter property against the date I wanted. Well, in the case of Application Gateway, it turned out to be a bit more complicated than I thought.

The Twist

I tried, and tried for an hour to decode the certificate publicCertData property without success. I turned to the internet and found the following PowerShell module: AzureRMAppGWCert. A big thank you by the way to Victor Santana for this gem. When I examined the code, I understood why it didn't work like I was always doing elsewhere. In the case of Application Gateway, we need to remove some of the data after the base64 conversion.

The solution

After the tricky truncate part. I created a PowerShell script with Azure Resource Graph to scan all subscriptions you have access to. Here is how to use it:

# Default is in the next 90 days
.\Get-AzureAppGatewayExpiringCertificates.ps1

# To look further, i.e. 180 days
.\Get-AzureAppGatewayExpiringCertificates.ps1 -ExpiresInDay 180

If you have any expired or soon expiring certificates, you'll have one or more of the following output:

Name                           Value
----                           -----
SubscriptionId                 00000000-0000-0000-0000-000000000000
Thumbprint                     4956BCC058BCA4BCB1349357AB474CCDBB37C28AB
ResourceGroup                  poc-prod-common
SubscriptionName               my-company-subscription
NotAfter                       3/4/2019 4:51:03 PM
Cert                           [Subject]...
Name                           poc-prod-common-ag

Conclusion

Again, the truncate thing was a nice pitfall, but very glad I finally worked it out with the help of Azure Resource Graph. In my case I scan 30+ subscriptions and check all of them in under 3 seconds which is blazing fast!

You can download the script from my azure-scripts repo on GitHub here. Enjoy!

Hope it help!