This post was originally published here

I was working on one of the API which needed using certificate (SSL) connectivity to the external API exposed by third-party. We stored this certificate in Key Vault and reference it to azure app services (Web API). I used arm template to add Certificate (.pfx) from Azure KeyVault in the TLS/SSL settings of Web APP Service.

Below is the Arm Template to get the Certificate from Key Vault and deploy the Web APP in the Application Services Environment (ASE).

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "appServiceName": {
      "type": "string"
    },
    "storageAccountName": {
      "type": "string",
      "metadata": {
        "description": "Storage Account name"
      }
    },
    "appServicePlanResourceGroup": {
      "type": "string",
      "metadata": {
        "description": "Azure service plan resource group"
      }
    },
    "appServicePlanName": {
      "type": "string",
      "metadata": {
        "description": "Azure Service Plan name"
      }
    },
    "applicationInsightsName": {
      "type": "string",
      "metadata": {
        "description": "The name of the app insights instance for the workload"
      }
    },
    "keyVaultName": {
      "type": "string"
    },
    "keyVaultResourceGroup": {
      "type": "string"
    },
    "BaseUrl": {
      "type": "string"
    },
    "CertkeyVaultSecretName": {
      "type": "string"
    }
  },
  "variables": {
    "applicationInsights": {
      "apiVersion": "2015-05-01",
      "name": "[parameters('applicationInsightsName')]"
    },
    "keyVault": {
      "apiVersion": "2015-06-01",
      "name": "[parameters('keyVaultName')]",
      "resourceId": "[resourceId(parameters('keyVaultResourceGroup'), 'Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
    }
  },
  "resources": [
    {
      "apiVersion": "2015-08-01",
      "name": "[parameters('appServiceName')]",
      "type": "Microsoft.Web/sites",
      "location": "[resourceGroup().location]",
      "tags": {
        "displayName": "Website"
      },
      "identity": {
        "type": "SystemAssigned"
      },
      "dependsOn": [
        "Microsoft.Web/certificates/CertificateName"
      ],
      "properties": {
        "name": "[parameters('appServiceName')]",
        "serverFarmId": "[resourceId(parameters('appServicePlanResourceGroup'), 'Microsoft.Web/serverfarms', parameters('appServicePlanName'))]",
        "siteConfig": {
          "use32BitWorkerProcess": false,
          "alwaysOn": true,
          "ftpsState": "FtpsOnly"
        },
        "httpsOnly": true
      },
      "resources": [
        {
          "name": "appsettings",
          "type": "config",
          "apiVersion": "2015-08-01",
          "dependsOn": [
            "[resourceId('Microsoft.Web/sites', parameters('appServiceName'))]"
          ],
          "properties": {
            "ApplicationInsights:InstrumentationKey": "[reference(resourceId(resourceGroup().Name, 'Microsoft.Insights/components', variables('applicationInsights').name), variables('applicationInsights').apiVersion).InstrumentationKey]",
            "Web:BaseAddress": "[parameters('BaseUrl')]",
            "Web:ClientCertificateThumbprint": "[reference(resourceId(resourceGroup().Name, 'Microsoft.Web/certificates','CertificateName'), '2016-03-01').thumbprint]",
            "WEBSITE_LOAD_CERTIFICATES": "*"
           
          }
        }
      ]
    },
    {
      "type": "Microsoft.Web/certificates",
      "name": "CertificateName",
      "apiVersion": "2016-03-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "keyVaultId": "[variables('keyVault').resourceId]",
        "keyVaultSecretName": "[parameters('CertkeyVaultSecretName')]",
        "serverFarmId": "[resourceId(parameters('appServicePlanResourceGroup'), 'Microsoft.Web/serverfarms', parameters('appServicePlanName'))]"
      }
    },
    {
      "apiVersion": "2014-04-01",
      "name": "[parameters('applicationInsightsName')]",
      "type": "Microsoft.Insights/components",
      "location": "[resourceGroup().location]",
      "dependsOn": [
        "[resourceId('Microsoft.Web/sites/', parameters('appServiceName'))]"
      ],
      "tags": {
        "[concat('hidden-link:', resourceGroup().id, '/providers/Microsoft.Web/sites/', parameters('appServiceName'))]": "Resource",
        "displayName": "AppInsightsComponent"
      },
      "properties": {
        "applicationId": "[parameters('appServiceName')]"
      }
    }
  ]
}

When this deployment run on Azure Portal, it error out with the following error message.

Status Message: {“Code”:”Conflict”,”Message”:”Another certificate exists with same thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxxx at location Australia East in the Resource Group RG-AE-Dev.”,”Target”:null,”Details”:[{“Message”:”Another certificate exists with same thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxxx at location Australia East in the Resource Group RG-AE-Dev.”},{“Code”:”Conflict”},{“ErrorEntity”:{“ExtendedCode”:”53008″,”MessageTemplate”:”Another certificate exists with same thumbprint {0} at location {1} in the Resource Group {2}.”,”Parameters”:[“xxxxxxxxxxxxxxxxxxxxxxxxxxxx”,”Australia East”,”RG-AE-Dev”],”Code”:”Conflict”,”Message”:”Another certificate exists with same thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxxx at location Australia East in the Resource Group RG-AE-Dev.”}}],”Innererror”:null}

I couldn’t find any other certificate in the key vault with the same thumb print, Then I ran the below Powershell command to find all the certificate included in the Resource Group.

# Change these to your appropriave values
$SubscriptionId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$ResourceLocation = "Australia East"
$ResourceGroupName = "RG-AE-Dev"
$ResourceName = "CertificateName"
$KeyVaultName = "AZ-KeyVault"
$KeyVaultId = "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/RG-AE-ICC-Dev/providers/Microsoft.KeyVault/vaults/AZ-KeyVault"
$KeyVaultSecretName = "certificatesecret"
$ServerFarmId = "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/RG-AE-Dev/providers/Microsoft.Web/serverfarms/AustraliaEastPlan"
# Log in and select the correct subscription
Login-AzureRmAccount 
Set-AzureRmContext -SubscriptionId $SubscriptionId 
$ResourceLocation -PropertyObject $PropertiesObject -ResourceGroupName $ResourceGroupName -ResourceType Microsoft.Web/certificates -ApiVersion 2018-02-01 -Force
# List certificates
 Get-AzureRmResource -ResourceGroupName $ResourceGroupName -ResourceType Microsoft.Web/certificates -IsCollection -ApiVersion 2018-02-01

This Powershell command list down all the certificates, and I found that the same certificate is installed with the different name, thus the same Thumb Print.

Then I navigated to the Resources.Azure.com -> Subscriptions -> resourceGroups->providers->Microsoft.Web->certificates

I found this certificate with the different name, I needed to remove it using actions (DELETE) . Re-run the deployment and yes all success now.

Thanks