Giving EZCA Access To Azure Key Vault

Prerequisites

  1. Registering the application in your tenant
  2. Selecting a Plan

Introduction First Step to Automate Certificate Rotation in Azure Key Vault

Enabling Azure Key Vault Certificate Rotation Automation requires EZCA to have access to your Key Vaults. EZCA needs RBAC Reader Role to verify the user requesting the certificate has access to the Key Vault. EZCA CA also requires an access policy with the following certificate permissions: Get, Update, and Create.

This is only required if you are looking to automate certificate rotation in Azure Key Vault. If you using EZCA for SCEP, ACME, or other certificate management tasks, you can skip this step.

Adding Application to Key Vault RBAC in Azure Portal

  1. Login to https://portal.azure.com
  2. Navigate to the Key Vault you want EZCA to manage.
  3. Click on the Access control (IAM) menu option Manage Azure Key Vault RBAC to enable automatic Certificate rotation
  4. Click on Add Add ezca to Key vault RBAC for automatic certificate rotation
  5. Select the “Add Role Assignment” Option
  6. Select Reader role Give reader permission
  7. Click on Members add the ezca application to your key vault
  8. Click on “Select Members” Azure IAM Screen
  9. Select the Keytos Application Azure IAM Screen
  10. Click the Select button Azure IAM Screen
  11. Click the Review + assign button Azure IAM Screen
  12. Click the Review + assign button Azure IAM Screen

Adding Application to Access Policies in Azure Portal for Automated Certificate Rotation

To get the most granular control over the permissions that EZCA has to your Key Vault, you can add an access policy to the Key Vault. This will allow you to specify the exact permissions that EZCA has to the Key Vault.

  1. Login to https://portal.azure.com
  2. Navigate to the Key Vault you want EZCA to manage.
  3. Click on the Access policies menu option AKV Access policies
  4. Click on Add Access Policy AKV Access policies
  5. Under Certificate permissions select: Get, Update, Create. AKV Access policies
  6. Click on the “None selected” link to the right of Select Principal AKV Access policies
  7. Click on the “None selected” link to the right of Select Principal AKV Access policies
  8. Select the Keytos Application AKV Access policies
  9. Click the Select button AKV Access policies
  10. Click the Add button AKV Access policies
  11. Click the Save button AKV Access policies
  12. Your Azure Key Vault is ready to be managed by EZCA!

Adding Access Policy for RBAC Enabled Azure Key Vaults for Automatic Certificate Rotation

If your Key Vault has RBAC enabled, you will need to add the “Key Vault Certificates Officer” Key Vault RBAC permission to allow EZCA to manage the certificates in the Key Vault.

  1. Login to https://portal.azure.com
  2. Navigate to the Key Vault you want EZCA to manage.
  3. Click on the Access control (IAM) menu option Manage Azure Key Vault RBAC to enable automatic Certificate rotation
  4. Click on Add Add ezca to Key vault RBAC for automatic certificate rotation
  5. Select the “Key Vault Certificates Officer” Role Give azure key vault certificates officer permission
  6. Click on Members add the ezca application to your key vault
  7. Click on “Select Members” Azure IAM Screen
  8. Select the Keytos Application Azure IAM Screen
  9. Click the Select button Azure IAM Screen
  10. Click the Review + assign button Azure IAM Screen
  11. Click the Review + assign button Azure IAM Screen

Adding EZCA IP Address to Azure Key Vault Firewall

If your Key Vault has a firewall enabled, you will need to add the EZCA IP address to the Key Vault firewall to allow EZCA to manage the certificates in the Key Vault. To find the EZCA IP addresses, please go to the EZCA portal status of your instance for example: https://portal.ezca.io/status and copy the IP addresses from the “Outbound IP Addresses” section. Get EZCA Outbound IP addresses you can now add the IP addresses to the Key Vault firewall. Since the EZCA IP addresses are subject to change, we recommend adding the entire IP range to the Key Vault firewall. To do this, you can use the following PowerShell script to add the IP range to the Key Vault firewall. Replace the $ipRange variable with the IP range from the EZCA portal status page:

Connect-AzAccount
$ipRange = ""
$resourceGroupName = "" # Replace with your resource group name
$keyVaultName = "" # Replace with your Key Vault name
$ipArr = $ipRange.Split(",")
Add-AzKeyVaultNetworkRule -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -IpAddressRange $ipArr