Let’s talk about something that we hate doing, rotating SSL certificates. From rotating them for our webservers, to rotating AAD application certificates, it is something that takes time, it is not fun, and if you forget to do it… it can cost your organization hundreds of thousands of dollars. You have probably read about AKV’s automatic certificate rotation with digicert and are wondering if you can do the same for your private certificates. The TL;DR is yes, but you’ll need EZCA, a certificate management tool built by ex-Microsoft PKI engineers that has amazing native certificate integrations for Azure one of them being our Automatic Key Vault Rotation.
EZCA can automatically create and rotate your certificates in your key vault, but first there are some things you will need to do. Create your EZCA CA don’t worry if you want to use your existing ADCS CA, you can connect your ADCS CA to EZCA and modernize it with all the cloud native connections EZCA offers. Once your CA is created in EZCA, you can give EZCA access to your Key Vault Note: If you are going to use AAD certificate rotation, EZCA also requires sign permission, this allows us to sign the request without ever touching your private key. Once EZCA has access, you can register your domain and request your key vault certificate in EZCA. Just remember to set it to automatically rotate, and let EZCA do the magic for you.
Now if you want to enable the automatic AAD certificate rotation, you must give your application permission to rotate its own credential and then repeat the same certificate request steps from above but adding the Application ID in the Application ID field. Note: you will have to register the first certificate since we can’t do that, but after that you can rotate the certificate and see how the new one is added to your application.
Up until now we have only talked about EZCA managing private certificates but with integrations such as our GlobalSign integration you can now also automate certificate issuance for your public certificates using the same tools you use for your private certificates. If you still have questions feel free to book a call with our PKI experts and they can help you see what the best setup for you is (sometimes you can automate all your certificates for free).
