Enabling Azure Key Vault Certificate Rotation Automation requires EZCA to have access to your Key Vaults. EZCA needs RBAC Reader Role to verify the user requesting the certificate has access to the Key Vault. EZCA CA also requires an access policy with the following certificate permissions: Get, Update, and Create.
This is only required if you are looking to automate certificate rotation in Azure Key Vault. If you using EZCA for SCEP, ACME, or other certificate management tasks, you can skip this step.
To get the most granular control over the permissions that EZCA has to your Key Vault, you can add an access policy to the Key Vault. This will allow you to specify the exact permissions that EZCA has to the Key Vault.
If your Key Vault has RBAC enabled, you will need to add the “Key Vault Certificates Officer” Key Vault RBAC permission to allow EZCA to manage the certificates in the Key Vault.
If your Key Vault has a firewall enabled, you will need to add the EZCA IP address to the Key Vault firewall to allow EZCA to manage the certificates in the Key Vault. To find the EZCA IP addresses, please go to the EZCA portal status of your instance for example: https://portal.ezca.io/status and copy the IP addresses from the “Outbound IP Addresses” section.
you can now add the IP addresses to the Key Vault firewall. Since the EZCA IP addresses are subject to change, we recommend adding the entire IP range to the Key Vault firewall. To do this, you can use the following PowerShell script to add the IP range to the Key Vault firewall. Replace the $ipRange
variable with the IP range from the EZCA portal status page:
Connect-AzAccount
$ipRange = ""
$resourceGroupName = "" # Replace with your resource group name
$keyVaultName = "" # Replace with your Key Vault name
$ipArr = $ipRange.Split(",")
Add-AzKeyVaultNetworkRule -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -IpAddressRange $ipArr