Azure-docs: The private key is not RSA or it is unreadable. Only RSA private key is supported for BYOC to secure a custom domain.

According to to to https://github.com/MicrosoftDocs/azure-docs/blob/master/includes/cdn-front-door-allowed-ca.md the Microsoft CDN doesn’t support LetsEncrypt. I have tried again with the Standard Verizon tier, but it gave me exact the same error.

The key was fetched from LetsEncrypt and stored inside the database with this script https://github.com/DOMZE/Azure/blob/master/Automation%20Scripts/letsencryptrunbook.ps1. The actual registration is done using the Import-AzKeyVaultCertificate cmdlet.

Import-AzKeyVaultCertificate -VaultName $KeyVaultName -Name $keyVaultCertificateName -FilePath $certificateExportPath -Password $certificatePassword

I followed this blog entry to refresh my certificates (which works fine with Azure Functions). I can download the certificate from the Key Vault (as PFX/PEM) and it works fine (without a password).

@ramondeklein
Thanks for your feedback! We will investigate and update as appropriate.

@ramondeklein , Do you still have issues with CDN with the same cert which you use for the Functions?

Yes, still doesn’t work. Same error with Standard Microsoft and Standard Verizon tiers. Are wildcard certificates supported?

@mdgattuso, Can you please take a look into this issue?

@mdgattuso Any progress on this item? I have created another wildcard certificate (not via PowerShell, but using sslforfree.com) and it seems to work fine. However, I need an automated solution because the certificates expire every 3 months...

Dominik Wilsberg referred to this link: https://docs.microsoft.com/en-us/azure/cdn/cdn-troubleshoot-allowed-ca. It seems LetsEncrypt is not supported by the CDN :-(

Hi, I can confirm normal Let's Encrypt certificates do work with Azure CDN. I created my own Acme client inspired by these two blog posts:

• https://marcstan.net/blog/2019/09/07/Let's-encrypt-with-Azure-functions/
• https://www.arnavion.dev/blog/2019-08-04-lets-encrypt-via-azure-function/

and was able to download a certificate from Let's Encrypt which was accepted by the Azure CDN. I would assume both urls (marcstan.net and arnavion.dev) are served from the Azure CDN as well.

Dominik Wilsberg referred to this link: https://docs.microsoft.com/en-us/azure/cdn/cdn-troubleshoot-allowed-ca. It seems LetsEncrypt is not supported by the CDN :-(

The Let's Encrypt Authority uses a certificate signed by "DST Root CA X3" which is supported by the Azure CDN.

@ramondeklein ,
I used ACME-PS Powershell to generate my Let's Encrypt Certificate and had the exact same error as you and finally found how to handle this issue.
PKCS12 (PFX) certificates created with .Net doesn't seem to be compatible with Azure CDN. Or ACME-PS uses some parameters that make them not compatible.

# Use OpenSSL to export private key and certificate from ACME-PS certificate to PEM format
openssl pkcs12 -in acmePs.pfx -out openSsl.crt -clcerts -nokeys -passin "pass:P@sw0rd1" -passout "pass:P@sw0rd1"
openssl pkcs12 -in acmePs.pfx -out openSsl.key -nocerts -passin "pass:P@sw0rd1" -passout "pass:P@sw0rd1"

# Use OpenSSL to create a new PFX certificate using files created by previous commands
openssl pkcs12 -export -inkey openSsl.key -in openSsl.crt -out openSsl.pfx -passin "pass:P@sw0rd1" -passout "pass:P@sw0rd1"

Then, upload openSsl.pfx to Azure KeyVault and Azure CDN now recognize the certificate.

I split private key and certificate in two files because I already use these in a Kubernetes TLS Secret.
PEM export may be done in a unique file which contains the private key and the certificate.

PS: I used passin/passout to simplify these scripts, they are not the recommended way to use password to sign certificates using OpenSSL

@ramondeklein ,
I used ACME-PS Powershell to generate my Let's Encrypt Certificate and had the exact same error as you and finally found how to handle this issue.
PKCS12 (PFX) certificates created with .Net doesn't seem to be compatible with Azure CDN. Or ACME-PS uses some parameters that make them not compatible.

# Use OpenSSL to export private key and certificate from ACME-PS certificate to PEM format
openssl pkcs12 -in acmePs.pfx -out openSsl.crt -clcerts -nokeys -passin "pass:P@sw0rd1" -passout "pass:P@sw0rd1"
openssl pkcs12 -in acmePs.pfx -out openSsl.key -nocerts -passin "pass:P@sw0rd1" -passout "pass:P@sw0rd1"

# Use OpenSSL to create a new PFX certificate using files created by previous commands
openssl pkcs12 -export -inkey openSsl.key -in openSsl.crt -out openSsl.pfx -passin "pass:P@sw0rd1" -passout "pass:P@sw0rd1"

Then, upload openSsl.pfx to Azure KeyVault and Azure CDN now recognize the certificate.

I split private key and certificate in two files because I already use these in a Kubernetes TLS Secret.
PEM export may be done in a unique file which contains the private key and the certificate.

PS: I used passin/passout to simplify these scripts, they are not the recommended way to use password to sign certificates using OpenSSL

Used this trick as well for enabling HTTPS on Azure CDN. The pfx created by Windows certmgr.msc cannot be read by Azure.

Same issue with Comodo signed cert on Azure FrontDoor. PFX excported from certmgr.msc is not working but reassembled through openssl works.