Did you know 80% of organizations have reported certificate related outage in the last two years? The reason is that computers are outnumbering humans at a ratio where manually managing certificates is impossible. One of the certificates that are easy to miss are certificate used for service to service authentication in Azure. While EZCA enables automatic Azure Key Vault certificate rotation, Azure does not currently support subject based certificate authentication, meaning that each new certificate must be registered in Azure AD before being used by an application. To solve this issue, we created a feature that automatically rotates your certificates when they are renewed. Giving you a fully automated credential rotation experience.
To enable AAD automatic certificate rotation, we must give your application the permission of updating the credentials of the applications it owns.
Microsoft blocked it so now applications can only manage their own credentials so don’t attempt to use one application to rotate many other applications credentials.
$YourApplicationsObjectId = "<Your Application's object ID>"
$YourEnterpriseApplicationsObjectId = "<Your Application's object ID (from enterprise app)>"
#set graph permissions
$adgraph = Get-AzureADServicePrincipal -Filter "AppId eq '00000002-0000-0000-c000-000000000000'"
Write-Host "-ResourceId $($adgraph.ObjectId)"
# Manage apps that this app creates or owns (Role: Application.ReadWrite.OwnedBy)
$rdscope = "824c81eb-e3f8-4ee6-8f6d-de7f50d565b7"
Connect-AzureAD
New-AzureADServiceAppRoleAssignment -Id $rdscope -PrincipalId $YourEnterpriseApplicationsObjectId -ObjectId $YourEnterpriseApplicationsObjectId -ResourceId $adgraph.ObjectId
#Add Application as owner of itself
Add-AzureADApplicationOwner -ObjectId $YourApplicationsObjectId -RefObjectId $YourEnterpriseApplicationsObjectId
As you might notice we must get Your App’s Object ID
$YourApplicationsObjectId
To enable this feature work, an extra permission must be given to EZCA (How to give Azure Key Vault access to EZCA) This permission is under Keys -> sign. This enables EZCA to sign the request for adding the new certificate meeting Microsoft’s key ownership attestation, while keeping your key safe in your Key Vault.
Once both pre-requisites are done, EZCA will have permissions to rotate your application’s certificates. Due to the key attestation requirements, and our zero-trust design, we currently only support this feature using EZCA’s automatic Azure Key Vault certificate rotation. Follow these steps to enable automated AAD Certificate rotation: