How To Create and Automatically Rotate SSL Certificates in AKV - Video Version
Overview - How to Create a Private Certificate in Azure Key Vault
Azure Key Vault is the best way to manage certificates in Azure, it allows you to securely distribute your certificates to all your Azure resources. While Azure Key Vault (AKV) has automatic rotation for public certificates it does not work for your private certificate authority. To help you automatically rotate your private certificates (even for your Windows ADCS CA with our ADCS connection) in Key Vault, we have created a seamless integration with Azure Key Vault to enable users to create, request, and manage certificates in a few clicks from a single place.
Click the “Request Certificate” button on the domain you want to request a certificate for.
This will pre-populate the Subject Name and Subject Alternate Names with the selected domain.
If this certificate requires more subject alternate names (Usually for other domains that might use this certificate), add them in the DNS Names section.
By Default, EZCA will request the certificate to be the maximum validity allowed by your administrators. If you want to decrease the lifetime of the certificate, adjust the validity slider.
Change the Certificate Location to Azure Key Vault
Select the Azure subscription containing the Key Vault
Select the Azure Key Vault where you want to store the certificate.
For an automated lifecycle, select the “Auto renew certificate” option. This will enable EZCA automatically renew your certificate when it is over the defined rotation lifetime.
Enabling automatic renewal of certificates, automates the lifecycle of your certificates reducing the chances of having an expired certificate related outage.
Adjust the slider to select at what percentage of the certificate lifetime do you want EZCA to automatically renew the certificate.
Click the “Request Certificate” button at the top right of the form.
Your Certificate has been created successfully
How To Use an Azure Key Vault Certificate
Now that you have created your Azure Key Vault Certificate; in this section we will cover where the certificate was created and present you with Microsoft resources on how that certificate can be used.
Navigate to the Azure Key Vault you selected to keep this certificate.
Click on Certificates
You should see a certificate with the following name convention “CERTIFICATENAME"EZCA"RANDOMNUMBER” where CERTIFICATENAME is the subject name for your certificate and RANDOMNUMBER is a random number created by EZCA to avoid collisions in the Azure Key Vault.
Click on the certificate
Click on the current version
This will open the certificate details page.
From the certificate details page you can download the CER formatted certificate (No private key) or the PFX/PEM format that contains the private key.
Azure Resources for using a Key Vault Stored Certificate
As mentioned before, Azure Key Vault has many ways to use the certificates in Azure, here are some of the guides that will help you use your certificate in Azure.