How To Create a Certificate in Azure Key Vault

Prerequisites

  1. Register Domain
  2. Connecting your Azure Key Vault

How To Create and Automatically Rotate SSL Certificates in AKV - Video Version

Overview - How to Create a Private Certificate in Azure Key Vault

Azure Key Vault is the best way to manage certificates in Azure, it allows you to securely distribute your certificates to all your Azure resources. While Azure Key Vault (AKV) has automatic rotation for public certificates it does not work for your private certificate authority. To help you automatically rotate your private certificates (even for your Windows ADCS CA with our ADCS connection) in Key Vault, we have created a seamless integration with Azure Key Vault to enable users to create, request, and manage certificates in a few clicks from a single place.

How to Create a Certificate in AKV with EZCA

  1. Navigate to https://portal.ezca.io/
  2. Navigate to Domains. View your internal managed domains
  3. Click the “Request Certificate” button on the domain you want to request a certificate for. request internal certificate for Azure Key Vault
  4. This will pre-populate the Subject Name and Subject Alternate Names with the selected domain. Add Subject alternate name  Certificate
  5. If this certificate requires more subject alternate names (Usually for other domains that might use this certificate), add them in the DNS Names section.
  6. By Default, EZCA will request the certificate to be the maximum validity allowed by your administrators. If you want to decrease the lifetime of the certificate, adjust the validity slider. Change certificate lifetime
  7. Change the Certificate Location to Azure Key Vault set the certificate to Azure Key Vault
  8. Select the Azure subscription containing the Key Vault select the azure subscription where you want to store the certificate
  9. Select the Azure Key Vault where you want to store the certificate. select the AKV where you want to store the certificate
  10. For an automated lifecycle, select the “Auto renew certificate” option. This will enable EZCA automatically renew your certificate when it is over the defined rotation lifetime.

    Enabling automatic renewal of certificates, automates the lifecycle of your certificates reducing the chances of having an expired certificate related outage.

    Automatically rotate certificate in Azure Key Vault
  11. Adjust the slider to select at what percentage of the certificate lifetime do you want EZCA to automatically renew the certificate. set certificate renewal threshold
  12. Click the “Request Certificate” button at the top right of the form. request private certificate in azure key vault
  13. Your Certificate has been created successfully certificate created in Azure Key Vault

How To Use an Azure Key Vault Certificate

Now that you have created your Azure Key Vault Certificate; in this section we will cover where the certificate was created and present you with Microsoft resources on how that certificate can be used.

Getting The Certificate From The Azure Portal

  1. Navigate to https://portal.azure.com
  2. Navigate to the Azure Key Vault you selected to keep this certificate.
  3. Click on Certificates view AKV Certificate
  4. You should see a certificate with the following name convention “CERTIFICATENAME"EZCA"RANDOMNUMBER” where CERTIFICATENAME is the subject name for your certificate and RANDOMNUMBER is a random number created by EZCA to avoid collisions in the Azure Key Vault. view certificate created in azure key vault
  5. Click on the certificate
  6. Click on the current version view current certificate in azure key vault
  7. This will open the certificate details page.
  8. From the certificate details page you can download the CER formatted certificate (No private key) or the PFX/PEM format that contains the private key. download azure key vault certificate

Azure Resources for using a Key Vault Stored Certificate

As mentioned before, Azure Key Vault has many ways to use the certificates in Azure, here are some of the guides that will help you use your certificate in Azure.

  1. Azure Key Vault Extension For Automatically Downloading Certificates to Windows VM
  2. Azure Key Vault Extension For Automatically Downloading Certificates to Linux VM
  3. Retrieve a Certificate From Azure Key Vault Using C#