🤚Background
INFO
The Azure Application gateway does not cleanup certificates when they are no longer used in the cluster (thus not referenced) so they need to be deleted via cli.
Azure Application Gateway has a limit of 100 certs
Cleanup unused certificates
CMDs
# retrieve IDs of SSL certificates attached to listeners in an Application Gateway.
az network application-gateway show -g SDK -n appgw-sdk-dev --query "httpListeners[?sslCertificate!=null].sslCertificate.id" -o tsv
# verbose
az network application-gateway ssl-cert list -g SDK --gateway-name appgw-sdk-dev -o table
# less verbose
az network application-gateway ssl-cert list -g SDK --gateway-name appgw-sdk-dev --query "[].{name:name, prov:provisioningState}" -o table
# count
az network application-gateway ssl-cert list -g SDK --gateway-name appgw-sdk-dev --query "[].{name:name, prov:provisioningState}" -o table | wc -l
# delete single certificate
az network application-gateway ssl-cert delete -g SDK --gateway-name appgw-sdk-dev --name cert-superset-superset-tenant-workflowtestdev-letsencrypt-secretCleanup
IMPORTANT
The script lists all SSL certificates in the Application Gateway, checks which ones are actually referenced by HTTPS listeners, and then deletes only those that are unreferenced (unused).
By default it runs a dry-run preview so you can confirm which certificates would be removed and optionally exclude any with a custom regex pattern.
ALWAYS do a dry-run first!
./scripts/clean-appgw-unused-certs.sh
# Usage: ./scripts/clean-appgw-unused-certs.sh -g <resource-group> -n <app-gateway-name> [--execute] [--exclude-regex '<pattern>']
# Without --execute this runs in DRY-RUN mode and only prints what it would delete.
# -> script defaults to dry-run without '--execute'
./scripts/clean-appgw-unused-certs.sh -g SDK -n appgw-sdk-dev
./scripts/clean-appgw-unused-certs.sh -g SDK -n appgw-sdk-dev --exclude-regex '.*applications.*|.*operations.*'
# cleanup
./scripts/clean-appgw-unused-certs.sh -g SDK -n appgw-sdk-dev --exclude-regex '.*applications.*|.*operations.*' --execute
# whitelist with regex lookahead
./scripts/clean-appgw-unused-certs.sh -g SDK -n appgw-sdk --exclude-regex '^(?!.*superset-tenant.*)' --execute
WARNING
./scripts/clean-appgw-unused-certs.sh -g SDK -n appgw-sdk-dev --execute
WARNING
./scripts/clean-appgw-unused-certs.sh -g SDK -n appgw-sdk --execute
Example
❯ ./scripts/clean-appgw-unused-certs.sh -g SDK -n appgw-sdk --exclude-regex '^(?!.*superset-tenant.*)' --execute
Fetching SSL certificates for appgw-sdk in RG SDK ...
Discovering certificates referenced by HTTPS listeners ...
Total certs: 94
Used certs : 11
Applying exclude-regex: ^(?!.*superset-tenant.*)
Unreferenced certificates:
1 cert-superset-superset-tenant-04232025-letsencrypt-secret
2 cert-superset-superset-tenant-20250424organisationtes-letsencrypt-secret
3 cert-superset-superset-tenant-asdfasdf-letsencrypt-secret
4 cert-superset-superset-tenant-bentley-letsencrypt-secret
5 cert-superset-superset-tenant-doomed2fail-letsencrypt-secret
6 cert-superset-superset-tenant-e2ee2e2e2e2e2e2e-letsencrypt-secret
7 cert-superset-superset-tenant-enhancedsdkdemo-letsencrypt-secret
8 cert-superset-superset-tenant-release-testing2-letsencrypt-cert
9 cert-superset-superset-tenant-release-testing-letsencrypt-cert
10 cert-superset-superset-tenant-testallinone2-letsencrypt-secret
11 cert-superset-superset-tenant-testallinone-letsencrypt-secret
12 cert-superset-superset-tenant-test-letsencrypt-secret
13 cert-superset-superset-tenant-testtesttest12333954092-letsencrypt-secret
14 cert-superset-superset-tenant-testtesttest12395409234-letsencrypt-secret
15 cert-superset-superset-tenant-thiswillsurelywork-letsencrypt-secret
16 cert-superset-superset-tenant-twinspace-letsencrypt-secretscript
clean-appgw-unused-certs.sh