How-To: Create a Certificate in Azure Key Vault

EZCA enables you to create certificates in Azure Key Vault by automatically connecting your your key vault and issuing and renewing your certificates.

Prerequisites

  1. You have a domain registered
  2. You have onboarded your Azure Key Vaults to EZCA

How To Create and Automatically Rotate SSL Certificates in AKV - Video Version

Overview - How to Create a Private Certificate in Azure Key Vault

Azure Key Vault is the best way to manage certificates in Azure, it allows you to securely distribute your certificates to all your Azure resources. While Azure Key Vault (AKV) has automatic rotation for public certificates it does not work for your private certificate authority. To help you automatically rotate your private certificates (even for your Windows ADCS CA with our ADCS connection) in Key Vault, we have created a seamless integration with Azure Key Vault to enable users to create, request, and manage certificates in a few clicks from a single place.

How to Create a Certificate in AKV with EZCA

  1. Navigate to https://portal.ezca.io/

  2. Navigate to Domains. EZCA Cloud PKI portal My Domains page listing registered domains with Request Certificate buttons

  3. Click the “Request Certificate” button on the domain you want to request a certificate for. EZCA Cloud PKI My Domains page with Request Certificate button highlighted for a domain

  4. This will pre-populate the Subject Name and Subject Alternate Names with the selected domain. EZCA Cloud PKI Request New Certificate form with pre-filled subject name and DNS names fields

  5. If this certificate requires more subject alternate names (Usually for other domains that might use this certificate), add them in the DNS Names section.

  6. By Default, EZCA will request the certificate to be the maximum validity allowed by your administrators. If you want to decrease the lifetime of the certificate, adjust the validity slider. EZCA Cloud PKI Request New Certificate form with validity period slider highlighted at 30 days

  7. Change the Certificate Location to Azure Key Vault EZCA Cloud PKI Request New Certificate form with Certificate Location dropdown set to Azure Key Vault

  8. Select the Azure subscription containing the Key Vault EZCA Cloud PKI certificate form with Azure Subscription dropdown highlighted for Key Vault selection

  9. Select the Azure Key Vault where you want to store the certificate. EZCA Cloud PKI certificate form with Azure Key Vault dropdown highlighted to choose the target vault

  10. For an automated lifecycle, select the “Auto renew certificate” option. This will enable EZCA automatically renew your certificate when it is over the defined rotation lifetime.

    EZCA Cloud PKI certificate form with Auto renew certificate checkbox highlighted for automatic rotation

  11. Adjust the slider to select at what percentage of the certificate lifetime do you want EZCA to automatically renew the certificate. EZCA Cloud PKI certificate form with Percentage Lifetime slider to set auto-renewal threshold

  12. Click the “Request Certificate” button at the top right of the form. EZCA Cloud PKI Request New Certificate button highlighted to submit the certificate request

  13. Your Certificate has been created successfully EZCA Cloud PKI Certificate Created Successfully page displaying the new certificate PEM content

How To Use an Azure Key Vault Certificate

Now that you have created your Azure Key Vault Certificate; in this section we will cover where the certificate was created and present you with Microsoft resources on how that certificate can be used.

Getting The Certificate From The Azure Portal

  1. Navigate to https://portal.azure.com
  2. Navigate to the Azure Key Vault you selected to keep this certificate.
  3. Click on Certificates Azure Key Vault overview page with Certificates section highlighted in the left navigation
  4. You should see a certificate with the following name convention “CERTIFICATENAME"EZCA"RANDOMNUMBER” where CERTIFICATENAME is the subject name for your certificate and RANDOMNUMBER is a random number created by EZCA to avoid collisions in the Azure Key Vault. Azure Key Vault Certificates list showing EZCA-created certificate with enabled status
  5. Click on the certificate
  6. Click on the current version Azure Key Vault certificate versions page showing current enabled version with thumbprint and dates
  7. This will open the certificate details page.
  8. From the certificate details page you can download the CER formatted certificate (No private key) or the PFX/PEM format that contains the private key. Azure Key Vault certificate details page with Download in CER format and PFX/PEM format buttons

Azure Resources for using a Key Vault Stored Certificate

As mentioned before, Azure Key Vault has many ways to use the certificates in Azure, here are some of the guides that will help you use your certificate in Azure.

  1. Azure Key Vault Extension For Automatically Downloading Certificates to Windows VM
  2. Azure Key Vault Extension For Automatically Downloading Certificates to Linux VM
  3. Retrieve a Certificate From Azure Key Vault Using C#