Key Vault virtual machine extension for Linux - how to delete previous PEM file

Question

I have successfully installed the Key Vault virtual machine extension for Linux on Ubuntu 18.04 (Azure VM). The certificate from KeyVault is imported in the default store /var/lib/waagent/Microsoft.Azure.KeyVault in PEM format.

How do I ensure that after importing a new version of the certificate, only the current one remains in the store and the old (invalid) is deleted?

This is the current state: adminmox2@VM2:/var/lib/waagent/Microsoft.Azure.KeyVault$ ls michalcpqtestwekv1.TestAcme michalcpqtestwekv1.TestAcme.9c312a9e003b4df8a3a7881b5b149a6c.1651038865.1658814864.PEM michalcpqtestwekv1.TestAcme.e1d6acf454d6474dab68dfb455e1b048.1650965285.1658741284.PEM

Thank you

Answer 1

If the VM has certificates downloaded by previous version i.e; v1, deleting that v1 extension will NOT delete the downloaded certificates. After installing v2.0, one may need to delete the certificate files or roll-over the certificate to get the PEM file with full-chain on the VM.

According to GitHub issue on cerificates azure Key Vault will not be able replace the old certificate as of now .So as a work around ,you can use custom script and periodically delete old certs.

References:

1. Run Custom Script Extension on Linux VMs in Azure - Azure Virtual Machines | Microsoft Docs
2. Azure Key Vault VM Extension for Linux - Azure Virtual Machines | Microsoft Docs