Managing Certificates through Azure Key Vault
In this tutorial, we will learn and understand about managing certificates via the Azure key vault. App secrets, such as certificates, connection strings, and encryption keys, are present in every cloud app. However, efficiently maintaining these secrets isn’t always simple and might lead to problems if done incorrectly. Such errors, on the other hand, have the potential to result in a service failure, credential leak, or procedure violation, all of which might result in the firm being shut down.
Use of Azure Key Vault
The secret management tools in Azure Key Vault are designed to eliminate human steps from the flow of cloud app secrets. Additionally, Azure App Service Certificates provides you with a domain-validated TLS certificate that is automatically updated to minimize outages and stored in your key vault. This is done so that you may distribute it to Azure Key Vault-integrated applications. Included in this are:
- Firstly, you can create your certificate and key in your key vault that provides access to logs.
- Secondly, Azure Key Vault will renew your certificate automatically as well as notify you if there are manual follow-ups for completing the renewal.
- Thirdly, there is no restriction on how you use the certificates. That is to say, you can use them anywhere, even outside Azure.
- However, you now have a choice of certificate authorities for getting your certificate from using DigiCert, and GlobalSign. As this enables our international customers to get certificates from the CA required by their local regulations. And further, enables enterprises to get certificates from the CA that they already have an account with.
- Fifthly, for higher assurance you can ask Azure Key Vault to generate your key in HSMs. Moreover, you get to manage all your application secrets with these certificates as well as connection strings, passwords, storage keys etc at key vault(s).
- Lastly, because your certificates are in a key vault, you inherit all the other benefits Azure Key Vault offers. Further, this distribute certificates using the built-in support in Azure VMs, VM scale sets, Web Apps (App Services), Service Fabric clusters/apps; get usage logs, analytics, and alerts via Azure Application Insights and Operations Management Suite etc
Three common scenarios where this feature really helps
- Firstly, if you have a web app built on the Azure App Services platform and app requires an OV/EV TLS server certificate, and you need to keep it refreshed before it expires. Secondly, you have an app that runs across hundreds of Azure VMs and needs a client authentication certificate. However, if you insert the certificate into your VM image you not only run the risk of theft at rest, but also every time you need to update the certificate, image and redeploy hundreds of VMs.
- Lastly, you decide to take your cloud app through SOC / PCI / FedRAMP / ISO certification. Further, the auditor asks you to show evidence that you roll your TLS certificates regularly.
End-to-End Use cases:
Common scenario: Contoso builds an Azure Web app with a vanity domain and SSL certificate
Firstly, for this,
- creating an app with Azure App Service and configuring it with a vanity domain.
- Then, create a key vault and a certificate object in it.
- Here you have the following options:
- Firstly, import an existing valid certificate into your key vault.
- Secondly, create a self-signed certificate for testing purposes.
- Thirdly, create a key pair and certificate signing request (CSR) within your key vault. After that, manually take this CSR to any public CA of your choice and get it signed.
- Then, create a key pair and certificate signing request (CSR) within your key vault. And have Azure Key Vault requesting a certificate from a supported public CA
Things to note and take an action before selecting the last option:.
- Firstly, create an account with the public CA that supports programmatic enrollment via Azure Key Vault. However, skip this step if you already have an account.
- Secondly, submit the domains for which you or your organization will request certificates. Here, the CA validates this ahead of time so that when it is time for you to request a certificate the turnaround is quick. Make sure to keep this up-to-date.
- Lastly, your CA bills you per your account plan. However, the operations you do with Azure Key Vault are billed with your Azure subscription bill.
- Secondly, configure your app to the certificate URI in Azure Key Vault and perform the SSL binding.
- Lastly, as long as your information with the public CA is up-to-date then renewal requires no action from you. However, Azure Key Vault fetches the new certificate before your old one expires.
Additional details on Steps
- Firstly, create an app with Azure App Service and configure it with a vanity domain. However, you can create and deploy Web Apps using ARM templates or through UI.
- Secondly, create a key vault and a certificate in that key vault. However, in this option you need an account with one of the supported CAs, and you need a credential from that account for the domains for which you will request a certificate. However, the central team manages domains and billing in some organizations. So we made our flow generic to accommodate this. Further, we will cover a flow with PowerShell; but similar functionality is also available via the cross-platform command line interface or our SDKs and REST API.
Next, go to PowerShell, login to Azure account, set the correct subscription context, and create a key vault.
#Set this to the name of the key vault that you just created
$vaultName = “contosoKV”
- Thirdly, configure your app for using the certificate from your key vault for SSL.
- Lastly, when it is close to the expiry time of the certificate, Azure Key Vault attempts to renew the certificate from the public CA. Moreover, it also sends an email to the contacts listed in the certificate object before and after the renewal.
Reference: Microsoft Documentation