Azure downloads old certificate whilst the app service certificate has been renewed and issued

I'm always lurking here, but finally I have a question I really cannot answer or find online anywhere. I've found people having trouble downloading the .pfx file, but that's not the case here.

I'm trying to update the app service certificate in my application gateway in Azure so that my SSL keeps working. The problem is this:

• At first I had a permission issue, but now I can download the .pfx file without issues using the link provided by Microsoft
• The certificate has been set to auto-renewal in Azure (and Azure says it is valid until Oct '20; which is correct and it has just been renewed and issued)
• After downloading however... I noticed the date in the certificate is still set on Oct '19.
• So far I've no idea why since this method did work last year... I simply want to download the new .pfx and upload it to my application gateway.

I've tried downloading it via Powershell, Azure CLI, Old Azure CLI. but alas...

** Edit: ** I couldn't make it work and created a whole new certificate for the same wild card domain. And - surprise, surprise - now Azure did create new secrets in the key vault to use with this certificate. The question remains... Why doesn't it do this when an existing certificate gets automatically renewed???

It's probably something simple again, but I can't see it. Do any of you know how to tackle this problem?

Thanks!

Added some proof:

Screenshot: certificate data

Screenshot: key vault secret date

Script for the record:

# Script for exporting pfx certificate from the Azure Cloud
#
# Type the following commands in PowerShell console to execute the script:
#   > Powershell –ExecutionPolicy Bypass
#   > .\copyasc.ps1
#

param (
    [string]$appServiceCertificateName = "Cert_name",
    [string]$azureLoginEmailId = "username@contoso.com"
)

$resourceGroupName = "RG_name"
$subscriptionId = "sub_id"
$exportFileName = "$appServiceCertificateName.pfx"

Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId $subscriptionId

$ascResource = Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"
$keyVaultId = ""
$keyVaultSecretName = ""

$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName

$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get
$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
New-Item $currentDirectory\$exportFileName -ItemType file
[io.file]::WriteAllBytes(".\$exportFileName", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\$exportFileName"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"

Alright... after some experimenting I finally found a solution. It appears Azure itself didn't have sufficient permissions and this is how I solved it:

1. Create a new App Service Certificate and configure it.
2. After configuring it, Azure appears to have made a few adjustments in the 'Access Policies' in the Azure Key Vault by adding two applications which weren't present before. These applications have a few 'Secret permissions' See this screenshot for application names
3. When I went to check on my other certificates they also got updated and I could download the .pfx again with the correct secret (using the script in my original question). (Please be aware that you also need to give you own account permissions to 'get' the .pfx file in the access policies.)

This led me to think that adding the two entities (applications) manually in the key vault access policy probably would've sufficed as well, but the workaround for this is creating a new App Service Certificate and delete (or use) it afterwards.