Start free trial

June 10, 2026

Azure Key Vault vs ACME automation: when each wins

Azure Key Vault is the default home for TLS material in Microsoft-centric estates. App Service, Application Gateway, and AKS integrations all point at vault certificates. The question is not whether to use Key Vault — it is whether renewal happens through Azure-managed issuance, manual import, or ACME automation that writes new versions on a schedule.

Azure-managed certificates

App Service managed certificates work for simple public hostnames on the same subscription. They renew automatically within Microsoft's boundary. The tradeoff: no export for multi-target deployment, limited wildcard support depending on tier, and opaque failure notifications. Fine for a marketing site; insufficient when the same SAN must also terminate on App Gateway and an internal API management instance.

Import-and-pray workflows

Many teams buy a cert from a public CA, import PFX into Key Vault, bind it to App Gateway, and calendar-remind themselves 11 months later. Import certificates do not auto-renew. Key Vault tracks exp on the x509 object but does not page your on-call. Discovery scans surface these as high-risk: imported, no automation tag, single owner who left the company.

ACME into Key Vault

ACME automation requests a Let's Encrypt cert, writes a new Key Vault certificate version, and triggers downstream deployment to App Service, App Gateway, Function Apps, and AKS ingress. You keep vault as the system of record while renewal follows the 90-day ACME cadence. RBAC matters: the automation identity needs Certificate Officer on the vault, not Owner on the subscription.

Map renewal windows per vault cert with the ACME renewal timeline — especially when mixing imported and ACME-issued objects in the same vault.

What DORA reviewers ask

ICT risk assessments want evidence of renewal testing, not screenshots of the portal. Export a CSV of certificate name, issuer, not_after, automation source, and last deployment target. Show failed renewal attempts with remediation timestamps. Key Vault diagnostic logs alone are not enough — tie each version increment to a deployment record.

Decision matrix

Use Azure-managed when one App Service hostname is the only consumer. Use ACME automation when the cert fans out to multiple Azure targets or hybrid cloud. Use purchased certs only when policy mandates a specific CA hierarchy — and still automate import and version rotation through an API, not a desktop upload.

Before your next subscription audit, run tenant discovery and score inventory risk with the certificate expiry risk calculator. Vault sprawl across 40 subscriptions is normal; undocumented imports across 40 vaults is an incident waiting for a long weekend.