How-To: Automate Azure Key Vault Certificate Rotation with EZCA

This guide will walk you through the steps required to give EZCA access to your Azure Key Vault(s) to enable automated certificate rotation without manual intervention.

EZCA can automate the process of rotating certificates stored in Azure Key Vault. This ensures that your applications always have access to valid certificates without manual intervention. In order to enable this feature, you need to grant EZCA access to your Azure Key Vault(s) via Azure RBAC and/or Key Vault Access Policies.

Required Access for Automated Certificate Rotation

Azure Key Vault automatic certificate rotation requires EZCA to have access to your Key Vaults via two sets of permissions:

  1. Permission to read authorized users
    • EZCA requires an RBAC Reader role to verify the user requesting the certificate has access to the Key Vault.
  2. Permission to manage certificates
    • EZCA also requires either an Access Policy with Get, Update, and Create, or an RBAC Key Vault Certificates Officer role to manage the certificates in the Key Vault.

This guide will walk you through the steps required to give EZCA access to your Azure Key Vaults to enable automated certificate rotation.

Prerequisites

Add RBAC Reader Role to Key Vault

The first step is to give EZCA the Reader role on the Key Vault. This will allow EZCA to read the list of authorized users for the Key Vault to verify that the user requesting the certificate has access to the Key Vault.

  1. Login to https://portal.azure.com
  2. Navigate to the Key Vault you want EZCA to manage.
  3. Click on the Access control (IAM) menu option Manage Azure Key Vault RBAC to enable automatic Certificate rotation
  4. Click on + Add Add ezca to Key vault RBAC for automatic certificate rotation
  5. Select the Add Role Assignment Option
  6. Select the Reader role Give reader permission
  7. Click on Members add the ezca application to your key vault
  8. Click on + Select members Azure IAM Screen
  9. Search for “keytos” and select the Keytos application Azure IAM Screen
  10. Click the Select button Azure IAM Screen
  11. Click the Review + assign button Azure IAM Screen
  12. Click the Review + assign button Azure IAM Screen

Add Certificate Management Access to Key Vault

There are two ways to give EZCA access to manage certificates in your Key Vault. You can either use Key Vault Access Policies or Azure RBAC, depending on your Key Vault configuration. If you have previously disabled Access Policies on your Key Vault, you must use Azure RBAC to grant access.

Option 1: Azure RBAC

If your Key Vault has RBAC enabled, you will need to add the “Key Vault Certificates Officer” Key Vault RBAC permission to allow EZCA to manage the certificates in the Key Vault.

  1. Login to https://portal.azure.com
  2. Navigate to the Key Vault you want EZCA to manage.
  3. Click on the Access control (IAM) menu option Manage Azure Key Vault RBAC to enable automatic Certificate rotation
  4. Click on + Add Add ezca to Key vault RBAC for automatic certificate rotation
  5. Select the Key Vault Certificates Officer Role Give azure key vault certificates officer permission
  6. Click on Members add the ezca application to your key vault
  7. Click on Select Members Azure IAM Screen
  8. Search for “keytos” and select the Keytos application Azure IAM Screen
  9. Click the Select button Azure IAM Screen
  10. Click the Review + assign button Azure IAM Screen
  11. Click the Review + assign button Azure IAM Screen

Option 2: Key Vault Access Policies

To get the most granular control over the permissions that EZCA has to your Key Vault, you can add an access policy to the Key Vault. This will allow you to specify the exact permissions that EZCA has to the Key Vault.

  1. Login to https://portal.azure.com
  2. Navigate to the Key Vault you want EZCA to manage.
  3. Click on the Access policies menu option AKV Access policies
  4. Click on + Add Access Policy AKV Access policies
  5. Under Certificate permissions select: Get, Update, and Create. AKV Access policies
  6. Click on the None selected link to the right of Select Principal AKV Access policies
  7. Click on the None selected link to the right of Select Principal AKV Access policies
  8. Search for “keytos” and select the Keytos application AKV Access policies
  9. Click the Select button AKV Access policies
  10. Click the Add button AKV Access policies
  11. Click the Save button AKV Access policies
  12. Your Azure Key Vault is ready to be managed by EZCA!

Add the EZCA IP addresses to Azure Key Vault Firewall

If your Key Vault has a firewall enabled, you will need to add the EZCA IP address to the Key Vault firewall to allow EZCA to manage the certificates in the Key Vault.

Retrieve the EZCA IP Addresses

To find the EZCA IP addresses, please go to the EZCA portal status of your instance for example: https://portal.ezca.io/status and copy the IP addresses from the Outbound IP Addresses section.

Get EZCA Outbound IP addresses

Add the EZCA IP Addresses to the Key Vault Firewall

You can now add the IP addresses to the Key Vault firewall. Since the EZCA IP addresses are subject to change, we recommend adding the entire IP range to the Key Vault firewall. To do this, you can use the following PowerShell script to add the IP range to the Key Vault firewall. Replace the $ipRange variable with the IP range from the EZCA portal status page:

Connect-AzAccount
$ipRange = ""
$resourceGroupName = "" # Replace with your resource group name
$keyVaultName = "" # Replace with your Key Vault name
$ipArr = $ipRange.Split(",")
Add-AzKeyVaultNetworkRule -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -IpAddressRange $ipArr
How-To: Troubleshoot Azure Key Vault Certificate Issues

Learn how to troubleshoot common problems when issuing and managing certificates in Azure Key Vault, such as pending CSRs or merging certificates.