I am not sure if this is a duplicate of Sign a CSR with Azure Key Vault, but I am surprised not to see any solution to this request.
AWS Certificate Manager can act as private CA, I would expect something similar in Azure, but I can't find anything.
Assuming I have a csr, how can I get it signed by own CA?
I see two approaches:
I store the CA certificate in Keyvault and then download the private key to sign. This is bad, because the private key leaves the vault.
I store the private in the Keyvault and then use the sign() method to sign the csr digest.
I am suprised to see that there is no simple method to sign the csr and get the signed certificate. The approach 2. would require manual steps to build the certificated from the signed digest.
Is there any alternative or ready library to sign csr?
Thanks for any hint,
Related
Is it supposed to be done in Azure since its SharePoint or is it in a different server. I have looked into Azure Key Vault but before proceeding need confirmation if this is correct. And if so how to go about generating it.
Please check if the below points are helpful:
For a simple way to create a CSR that works on any Microsoft server
platform, you can use the DigiCert.Azure Key Vault partners with the
following certificate authorities to simplify certificate creation.
DigiCert, GlobalSign.( offers OV TLS/SSL certificates with
DigiCert /GlobalSign)
Azure Key Vault supports storing digital certificates issued by any
certificate authority (CA). It supports (CSR) with a private/public
key pair.
If you are a Microsoft azure user you can create csr in keyvault.The thing we need to make sure is that the private key and resulting public key are a matching pair.( AFAIK CSR need not have to be
generated on SharePoint. )
One of the biggest advantage of managing certificates through Key
Vault is the Private Key of the certificate is never exposed outside
the Key Vault Security World. reference
The Private Key would be stored within Key Vault, and Public Key would
be attached to CSR and submitted to the CA.
During certificate
Import, the Public Key (attached with the certificate) would be
matched against the Private Key (stored within Key Vault) to complete
the Key Pair.
Steps to generate csr in azure keyvault :
Sign into the Azure portal and select the key vault where you wish
to install your certificate.
Select Certificates in the right-hand Settings menu.
Click the Generate/Import button to open the Create a certificate
window.
Enter or select the details in the Create a certificate form fields
Select Certificate issued by a integrated CA / non- integrated CA and
other fields Click the Create button to generate your new key pair and
CSR.
And check this blog / Creating and merging a certificate
signing request in Azure Key Vault | Microsoft Docs for complete
details of steps.
References:
Get started with Key Vault certificates | Microsoft Docs
Access SharePoint online content using Azure key vault certificate
and Azure function app | Sundar’s blog (sundarcloud.com)
I have uploaded the issuer certificate in the azure key vault and now i want to send a CSR generated in my system to azure and get it signed by the Issuer certificate in the KV and return me back the signed certificate. Any idea on how to accomplish it?
I am sorry that you are not able to accomplish it. For Azure Key Vault's usage scenario, you may refer to What is Azure Key Vault?.
Just as explained in that article, for Certificate, Azure Key Vault lets you easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internal connected resources.
You can generate a new certificate from Public CA (DigiCert or GlobalSign).
If you want to use custom CA, you can only create a CSR, and get your certificate from that CA, and finally update your certificate to Azure Key Vault. Refer to: Create a certificate manually and get signed by a CA
I am using fabric-sdk-nodejs to enroll the user it works fine, but all the private key and msp will be created using fabric CA.
my questions
How i can generate keypair for offline user and then generate the certificate using fabric CA for particular organisation?
Is it possible to create keypair offline, which keypair generation is supported or fabric has own offline keypair generation?
In production environment we cannot keep the user keypair, so how generation of keypair flow works?
The way you are trying to do is wrong
generation of private key and certificate is a multi-step procedure
When you try to create a keypair(private key & certificate) root-ca or intermediate-ca has to sign it then only it will be valid, this is called signing by using the concept of PKI
Fabric supports x509 certificate & ecdsa private key, you can generate root-ca certificate and sign certs outside.
Coming to your question about security of user credentials: you can always use fabric-ca to generate the sign certs and you have three options
store in the server as file-storage
store it in couchdb as key-value store
store it in hardware using hsm or so
I am not a professional with certificates, however, I am trying to understand how to get this working with Azure Key Vault.
Use case: I have a website having a SSL certificate signed by a CA. (Not supported by Azure Key Vault)
I want to have that root certificate in my key vault and generate client certificates as needed for our customers. (They need to be able to validate that the certificate they retrieved, came from our Root Certificate).
My questions:
1 - Am I correct when assuming the following:
I can generate a certificate with the Azure key vault, export the CSR, and get the CSR signed by my CA. Importing the output file provided by my CA, will result in having the correct root certificate stored in the Key Vault.
2 - To generate client certificates, I need to repeat the process described in question 1, however, I do not need to get signed by the CA, but rather by my new certificate that was created above? This way, I can create many client certificates in a secure way.
I am getting my hands dirty with https, ssl, PKI stuff. And there is one thing that I dont quite understand with self signed certificates.
Say I want to create a self-signed certificate and send it over to my friend whenever we want to establish a secure connection.
So the steps are:
create a private key.
create a public key.
sign the certificate with my public key.
So when my friend gets my certificate he has to verify that the certificate he gets is mine, he needs to decrypt digital signature. But in order to decrypt it and verify he has to have my private key. So, I am a bit confused here.
You've got things reversed. You sign with your private key that only you have.
You include your public key with the signature so the recipient can "verify" that the signature was calculated correctly.
But a self-signed certificate gives no assurance of the sender's identity since there is no way to independently verify that the signed data/document came from the supposed signer.