Automatic SAP BTP trust store certificate renewal with Azure Key Vault – or how to stop thinking about expiry dates once and for all
Expiring TLS certificates create maintenance efforts all over the place and pose a security risk if not taken care of in time. Especially if the underlying private key was at risk. Furthermore, security guidelines advocate for shorter lifecycles. GobalSign, DigiCert and other official Certificate Authorities (CA) enforced a maximum of 13 months in 2020. However, most people want a lifetime of multiple years to avoid being bugged about it as seldom as possible.
Self-signed certificate with 30 years lifetime – no problem 🤔⛔
With today’s guidance for integrations using the SAP Destination service on SAP Business Technology Platform (BTP) you won’t make a sweat anymore when security suggests rotating self-signed certificates every month instead of every year.
However, best option would be using trusted certificates issued by a well-known certificate authority (CA). Read more about that further down.
Building on my latest blog post about Azure Application Gateway with Web Application Firewall and SAP Private Link, I would like to make due on my promise and introduce you to the wonderland of automation with regard to synching self-signed certificates.
Certificate events enable the automation show
In my example today I am going to be using the Azure Key Vault with a self-signed certificate for simplicity reasons. For productive purposes you may prefer a certificate issued by a well-known provider like DigiCert or GlobalSign. See here how to obtain them automatically via Azure Key Vault.
Azure Key Vault exposes lifecycle events for its secured objects (keys, secrets, and certificates). Have a look at this list for reference. The most interesting ones for use are “NearExpiry” and “CertificateNewVersionCreated”.
With certificates flagged as self-renewing, we may set ourselves up to act on the CertificateNewVersionCreated event 😊
There are multiple options to act on the event. To call an SAP BTP based service like Integration Suite or the Automation Pilot, you need to look at the Web Hook option. For Azure-native the low code experience in Logic Apps or the full-code experience in Azure Functions are straightforward for our scenario. I will describe the process using Logic Apps.
Configure the connection to your Key Vault and save the flow. It will be stored in the same resource group as the key vault by default.
It is a good practice to filter by event type at this point to avoid unnecessary executions and logic to drop requests. See event type item dropdown on the screenshot below.
Hit “Save As” and start designing your flow. For your convenience, I left my complete template including the parameters on this repos. You may import it like this:
When you do it manually make sure to upload the parameters file too. Hit create and start configuring the connections for the flow based on your environment.
For initial integration test with the Destination API I also left a Postman collection for you. Maintain your parameters as per your Azure subscription and resources.
Let’s walk through some of the Logic App steps in detail
It is good practice to check the certificate name that was renewed before proceeding. That happens in the condition check right after the trigger at the top. Since the event contains only the state change and resource ID, we still need to request the certificate itself. I used the Key Vault REST API together with my Logic App’s Azure AD system assigned managed identity to get the certificate payload in a secure manner.
The purple parsing steps prepare the payload for the SAP BTP Destination API call to update the certificate. For proper security and credential lifecycle of the service key from BTP for the Destination API access I am keeping the client credentials on Key Vault too. See the last blue step to retrieve the username. You may identify the credentials via the properties of your Cloud Foundry destination service like below:
The last two URLs play a role in getting the relevant JWT token for authentication and interacting with the destination’s trust store.
Like before I am parsing the JSON response preparing the payload for the PUT operation to modify the existing certificate in my BTP destination trust store. Once the new certificate is acknowledged I post a success message to my Teams channel for transparency of the process. In case it fails, manual reprocessing is required. Of course, you could consider a retry logic a day later or so to compensate for short term glitches.
Ready to test? 🧪
Waiting for expiry for three months … catchy elevator music playing … some more waiting ⏳ … actually forgetting what you were looking to do in the first place 💤 … more waiting😴
Oh wait, we could just trigger a new version ourselves! 💡
Keep the configuration as is and wait for the Event Grid trigger firing your Logic App in a bit 😊
Et voila, update certificate in the trust store!
Consider disabling the other versions of your certificate on the Key Vault allowing a transition period. Remember we configured renewal at 80% lifetime. Also allow some time for the new certificate version to take effect on the App Gateway.
Thoughts on production readiness
Azure Key Vault, Event Grid and Logic Apps are cloud-native PaaS services used globally by all sort of customers. Implementing the same flow with SAP BTP services like SAP Automation Pilot, Integration Suite, Credential Store would achieve the same goal. However, SAP Credential Store doesn’t offer certificate management or self-renew options. So, you would at least need to keep a vault like the Azure Key Vault.
Self-signed certificates are not optimal. You may consider bringing your own domain and certificate as described by SAP here. See here for more information on how to create a certificate with a well-known certificate authority like DigiCert or GlobalSign automatically from Azure Key Vault.
⚠️Be aware that the self-signed leaf certificate approach requires some BTP apps to restart to reflect changed leaf certificates in the trust store⚠️avoid downtimes with well-known certificates.
Furthermore, you might favor trusting the root or intermediate certificate of your Certificate Authority in BTP. That way there is no need for populating the certificate at all.
As you can see the dark days of calendar reminders to renew a certificate are over. Not to mention the nasty side effects like untrusted apps, unsecure connections, and lifelong certificates, so that your successor must deal with it once you are long gone into retirement 🧓🏽. Setting up trust with well-known certificate authorities is best. SAP describes here how to handle DNS mapping. Learn how to obtain the well-known certificate automatically via Azure Key Vault here.
How often do you rotate your certificates? Are you swapping the private key too? Otherwise, you could just keep the certificate for 30 years anyways 😉 Or are you already all-in with well-known certificates and don’t need to rotate🎡 anymore?
Find your way to the blog post sparking this detour here. It discusses SAP Private Link with Azure App Gateway including web application firewall.
As always feel free to ask lots of follow-up questions.