Add Managed HSM support to Application Gateway SSL certificate commands (2025-07-01)

[srijanee]

Preconditions

• No need to upgrade Python SDK or the Python SDK is ready.

Related command

az network application-gateway ssl-cert create
az network application-gateway ssl-cert update
az network application-gateway ssl-cert show

Resource Provider

Microsoft.Network

Description of Feature or Work Requested

Related command

az network application-gateway ssl-cert create
az network application-gateway ssl-cert update
az network application-gateway ssl-cert show

Resource Provider
Microsoft.Network/applicationGateways

Description of Feature or Work Requested
Swagger PR Azure/azure-rest-api-specs#42137 introduced a new ApplicationGatewayManagedHsm model in API version 2025-07-01 with the following properties:

• keyId (string) - Key identifier of a key stored in Managed HSM
• publicCertData (string, readOnly) - Base-64 encoded public certificate data corresponding to the key stored in Managed HSM

This model is added as the hsm property on ApplicationGatewaySslCertificatePropertiesFormat, allowing Application Gateway SSL certificates to reference keys stored in Azure Managed HSM.

The CLI commands for Application Gateway SSL certificates (az network application-gateway ssl-cert create/update) need to be updated to support the new --hsm-key-id parameter so users can configure SSL certificates backed by Managed HSM.

The show command should already display the hsm block if present in the response, but please verify.

PowerShell PR (for reference)
Azure/azure-powershell#29418

Minimum API Version Required
2025-07-01

Target Date
2026-05-04

PM Contact
Jack.Stromberg@microsoft.com

Engineer Contact
srijanisen@microsoft.com

Minimum API Version Required

2025-07-01

Swagger PR link / SDK link

Azure/azure-rest-api-specs#42137

Request Example

az network application-gateway ssl-cert create \
  --resource-group MyResourceGroup \
  --gateway-name MyAppGateway \
  --name MyHsmSslCert \
  --hsm-key-id https://myvault.managedhsm.azure.net/keys/mykey/version

Target Date

2026-05-04

PM Contact

Jack.Stromberg@microsoft.com

Engineer Contact

srijanisen@microsoft.com

Additional context

The corresponding PowerShell changes have been implemented in PR Azure/azure-powershell#29418, adding -HsmKeyId and -HsmPublicCertData parameters to New-AzApplicationGatewaySslCertificate, Set-AzApplicationGatewaySslCertificate, and Add-AzApplicationGatewaySslCertificate cmdlets.

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub, @act-quality-productivity-squad.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @appgwsuppgithub, @act-quality-productivity-squad.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub, @act-quality-productivity-squad.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @appgwsuppgithub, @act-quality-productivity-squad.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub, @act-quality-productivity-squad.