Skip to content
Automated Let's Encrypt issuer for Azure Key Vault
Branch: master
Clone or download
Latest commit ff1cd34 Sep 8, 2019

Key Vault Acmebot

Build Status Release License

This function provide easy automation of Let's Encrypt for Azure Key Vault. This project started to solve some problems.

  • Store certificates securely with Key Vault
  • Centrally manage many certificates with one Key Vault
  • Simple deployment and configuration
  • Robustness of implementation
  • Easy monitoring (Application Insights, Webhook)

Use Key Vault for secure and centralized management of Let's Encrypt certificates.

Table Of Contents

Feature Support

  • All Azure App Service (Web Apps / Functions / Containers, any OS)
  • Azure CDN / Front Door
  • Azure Application Gateway v2
  • Subject Alternative Names (SANs) certificates (multi-domains support)
  • Wildcard certificates


  • Azure Subscription
  • Azure DNS and Key Vault resource
  • Email address (for Let's Encrypt account)

Getting Started

1. Deploy to Azure Functions

2. Add application settings key

  • LetsEncrypt:SubscriptionId
    • Azure Subscription Id
  • LetsEncrypt:Contacts
    • Email address for Let's Encrypt account
  • LetsEncrypt:VaultBaseUrl
    • Azure Key Vault DNS name (Only when using an existing Key Vault)
  • LetsEncrypt:Webhook
    • Webhook destination URL (optional, Slack recommend)

3. Enable App Service Authentication (EasyAuth) with AAD

Open Authentication / Authorization from Azure Portal and turn on App Service Authentication. Then select Log in with Azure Active Directory as an action when not logging in.

Enable App Service Authentication with AAD

Set up Azure Active Directory provider by selecting Express.

Create New Azure AD App

4. Assign role to Azure DNS

Assign DNS Zone Contributor role to Azure DNS zone or Resource Group.


5. Add a access policy (Only when using an existing Key Vault)

Add the created Azure Function to the Key Vault Certificate management access policy.



Adding new certificate

Go to Since the Web UI is displayed, if you select the target DNS zone and input domain and execute it, a certificate will be issued.

Add certificate

If nothing is displayed in the dropdown, the IAM setting is incorrect.

App Service (Web Apps / Functions / Containers)

Select "Import Key Vault Certificate" button to import the certificate from Key Vault into App Service.


After that, the certificate will automatically be renewed from Key Vault.

Application Gateway v2

Azure CDN / Front Door



This project is licensed under the Apache License 2.0

You can’t perform that action at this time.