I have generated a self-signed RSA certificate in Azure KeyVault. When creating a new version of the certificate manually or automatically via the auto-renew feature, I noticed that the public/private key pair is not rotated, only the certificate part is renewed, and signed with the original key.
How can I rotate the key pair as well, which I want to do periodically for security reasons, in case the private key gets leaked through some means?
When a Key Vault certificate is created, an addressable key and secret are also created with the same name. The Key Vault key allows key operations and the Key Vault secret allows retrieval of the certificate value as a secret.
From RFC.
Certificate renewal means the issuance of a new certificate to the subscriber without changing the subscriber or other participant's public key or any other information in the certificate:
Circumstances under which certificate renewal takes place, such as where the certificate life has expired, but the policy permits the same key pair to be reused;
Certificate Re-key
Certificate Re-key means generating a new key pair and applying for the issuance of a new certificate that certifies the new public key:
Circumstances under which certificate re-key can or must take place, such as after a certificate is revoked for reasons of key compromise or after a certificate has expired and the usage period of the key pair has also expired;
Azure KeyVault self-signed certificate certificate renewal do not rotate public/private key pair by default.
You can rotate it by updating the policy for your certificate in the Azure KeyVault, where you can set ReuseKeyOnRenewal to false.
https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates
Related
I have uploaded the issuer certificate in the azure key vault and now i want to send a CSR generated in my system to azure and get it signed by the Issuer certificate in the KV and return me back the signed certificate. Any idea on how to accomplish it?
I am sorry that you are not able to accomplish it. For Azure Key Vault's usage scenario, you may refer to What is Azure Key Vault?.
Just as explained in that article, for Certificate, Azure Key Vault lets you easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internal connected resources.
You can generate a new certificate from Public CA (DigiCert or GlobalSign).
If you want to use custom CA, you can only create a CSR, and get your certificate from that CA, and finally update your certificate to Azure Key Vault. Refer to: Create a certificate manually and get signed by a CA
I have purchased an app service wildcard certificate and would like to import this cert into Azure Key vault for other purposes. Once I export/import the cert into Azure key vault and use for other custom domains (for example: APIM) will the auto renew ability continue to work as expected (automatically) or will I be forced to manage the cert differently now stored in key vault?
Key Vault Certificates support automatic renewal with selected issuers - Key Vault partner X509 certificate providers / certificate authorities.
Non-partnered providers/authorities are also allowed but, will not support the auto renewal feature.
So, the cert imported into key vault will auto renew the cert instead of manually renewing it.
The renewal process of the certificate is managed on key vault, so doesn't matter where you use it, it will be the same renewal process.
I did a rekey on my app service certificate, however the expiration time of my certificate has not changed.
Re-keying an SSL certificate refers to creating a new private key for your certificate, which is used in the process of encrypting and decrypting data sent from and to your website.
Performing a re-key operation only gets a new key and has no effect on the expiration date. If you want to extend the expiration of the certificate, you need to renew it. You may also set the autorenew to true and the system will automatically renew the certificate.
PFB document that explains Rekey and sync certificate:
https://learn.microsoft.com/en-us/azure/app-service/web-sites-purchase-ssl-web-site#rekey-and-sync-certificate
I am not a professional with certificates, however, I am trying to understand how to get this working with Azure Key Vault.
Use case: I have a website having a SSL certificate signed by a CA. (Not supported by Azure Key Vault)
I want to have that root certificate in my key vault and generate client certificates as needed for our customers. (They need to be able to validate that the certificate they retrieved, came from our Root Certificate).
My questions:
1 - Am I correct when assuming the following:
I can generate a certificate with the Azure key vault, export the CSR, and get the CSR signed by my CA. Importing the output file provided by my CA, will result in having the correct root certificate stored in the Key Vault.
2 - To generate client certificates, I need to repeat the process described in question 1, however, I do not need to get signed by the CA, but rather by my new certificate that was created above? This way, I can create many client certificates in a secure way.
I want to revoke my PGP public key using Bouncy Castle API. I have generated a revocation certificate. But I wasn't able to find a way to revoke a public key using a revocation certificate.
How would I achieve it?
I found the method addCertification in PGPPublickey.java class but it is for adding a certificate and not for adding a revocation certificate.
I tried this method but it actually adds any revocation certificate to a public key, and the key is being revoked too. However, the public key should add only that revocation certificate that is generated from the corresponding private key.
You should add revocation certificate to your corresponding public key, and send this updated key to keyservers or other parties you are communicating to.
You're right on one count and wrong on another.
The Right: You've found the correct function for adding a revocation certificate to key. The addCertification function is what you should use to add your revocation certificate to a PGP Key.
The Wrong: That the function should not let you add a revocation certificate signed by someone other than the owner of the public key (which I have surmised is your assumption).
You can add any certificate signed by anyone to a PGP key. Whether the attached certificate has a relevant effect on the key is another matter.
For example, I could attach a revocation certificate generated by my secret key to your public key. However, does this mean your key has now been revoked? In short, no, it doesn't. This is because a public key can be revoked only by a revocation certificate signed by the corresponding private key, and it is up to the respective implementation (say, an encryption program like GPG) to verify this before saying your key is revoked.
In your case, your public key could have any number of revocation certificates attached to it. However, only a revocation certificate signed by the corresponding private key (which you presumably own, and is hopefully secret) will have the effect of actually revoking it.
That said, if you wish the fact that you have revoked your key to be communicated to the rest of the world, that is, via keyservers, you should first generate a revocation certificate signed by your private key, attach it to your public key (effectively revoking it), and then upload this revoked key to a keyserver. The keyserver will simply merge your key to the copy they have (if they have it), and propogate this key to other keyservers it knows. If all goes well, in a few days or longer, your revoked key should be available across the keyservers connected directly or indirectly to the keyserver you uploaded your key to.