Update use-azure-app-service-certificate-with-application-gateway.md

Author: ryanberg-aquent

support/azure/app-service/connection-issues-with-ssl-or-tls/use-azure-app-service-certificate-with-application-gateway.md

@@ -58,12 +58,41 @@ You can use App Service Certificate in Azure Application Gateway, but not direct
 
 1. **Store App Service Certificate in Key Vault**: Navigate to the App Service Certificate resource. Then, use the **Key Vault** blade to store the certificate in a key vault of your choice.
 
-2. **Enable Managed Identity for Application Gateway**: Enable user-assigned or system-assigned managed identity.
+2. **Enable Managed Identity for Application Gateway**: Enable user-assigned.
 
 3. **Grant Access to key vault**: In the key vault, go to **Access Policies**, and add a policy for Application Gateway identity that has `get`, `list`,
       and `secret management` permissions.
 
-4. **Reference Certificate from Key Vault**: Go to **Application Gateway** \> **Listeners** \> **+ Add Listener**, select **HTTPS**, and then select **Key Vault certificate**.
+4. Due to current limitations, it's necessary to assign user-assigned managed identity and SSL certificate to Application Gateway. This can be done using Azure PowerShell.
+
+```PowerShell
+
+# Connect to Azure and Authenticate
+Connect-AzAccount
+Select-AzSubscription -Subscription <customer subscription>
+Install-Module -Name Az.ManagedServiceIdentity
+# Define Variables
+$AppGwName = "<YourApplicationGatewayName>"
+$RGName = "<YourResourceGroupName>"
+$UserIdentityName = "<YourUserAssignedManagedIdentityName>"
+$vaultName = "<YourKeyVaultName>"
+$secretName = "<YourCertificateSecretName>"
+# Construct Key Vault Secret ID
+$secretId = "https://${vaultName}.vault.azure.net:443/secrets/${secretName}/"
+# Retrieve Application Gateway Object
+$AppGw = Get-AzApplicationGateway -Name $AppGwName -ResourceGroupName $RGName
+# Add SSL Certificate (Key Vault Reference)
+Add-AzApplicationGatewaySslCertificate -ApplicationGateway $AppGw -Name $secretName -KeyVaultSecretId $secretId
+# Retrieve User-Assigned Managed Identity
+$identity = Get-AzUserAssignedIdentity -Name $UserIdentityName -ResourceGroupName $rgname
+# Assign Managed Identity to Application Gateway
+Set-AzApplicationGatewayIdentity -ApplicationGateway $AppGw -UserAssignedIdentityId $identity.Id
+# Apply Changes to Azure
+Set-AzApplicationGateway -ApplicationGateway $AppGw
+
+```
+
+5. **Reference Certificate from Key Vault**: Go to **Application Gateway** \> **Listeners** \> **+ Add Listener**, select **HTTPS**, and then select **Certificate** which you added in the previous step.
 
 > [!NOTE]
 > Currently, Key Vault integration supports only certificates that have the private key in `.pfx` format.