I am not a professional with certificates, however, I am trying to understand how to get this working with Azure Key Vault.
Use case: I have a website having a SSL certificate signed by a CA. (Not supported by Azure Key Vault)
I want to have that root certificate in my key vault and generate client certificates as needed for our customers. (They need to be able to validate that the certificate they retrieved, came from our Root Certificate).
My questions:
1 - Am I correct when assuming the following:
I can generate a certificate with the Azure key vault, export the CSR, and get the CSR signed by my CA. Importing the output file provided by my CA, will result in having the correct root certificate stored in the Key Vault.
2 - To generate client certificates, I need to repeat the process described in question 1, however, I do not need to get signed by the CA, but rather by my new certificate that was created above? This way, I can create many client certificates in a secure way.
Related
I am not sure if this is a duplicate of Sign a CSR with Azure Key Vault, but I am surprised not to see any solution to this request.
AWS Certificate Manager can act as private CA, I would expect something similar in Azure, but I can't find anything.
Assuming I have a csr, how can I get it signed by own CA?
I see two approaches:
I store the CA certificate in Keyvault and then download the private key to sign. This is bad, because the private key leaves the vault.
I store the private in the Keyvault and then use the sign() method to sign the csr digest.
I am suprised to see that there is no simple method to sign the csr and get the signed certificate. The approach 2. would require manual steps to build the certificated from the signed digest.
Is there any alternative or ready library to sign csr?
Thanks for any hint,
Is it supposed to be done in Azure since its SharePoint or is it in a different server. I have looked into Azure Key Vault but before proceeding need confirmation if this is correct. And if so how to go about generating it.
Please check if the below points are helpful:
For a simple way to create a CSR that works on any Microsoft server
platform, you can use the DigiCert.Azure Key Vault partners with the
following certificate authorities to simplify certificate creation.
DigiCert, GlobalSign.( offers OV TLS/SSL certificates with
DigiCert /GlobalSign)
Azure Key Vault supports storing digital certificates issued by any
certificate authority (CA). It supports (CSR) with a private/public
key pair.
If you are a Microsoft azure user you can create csr in keyvault.The thing we need to make sure is that the private key and resulting public key are a matching pair.( AFAIK CSR need not have to be
generated on SharePoint. )
One of the biggest advantage of managing certificates through Key
Vault is the Private Key of the certificate is never exposed outside
the Key Vault Security World. reference
The Private Key would be stored within Key Vault, and Public Key would
be attached to CSR and submitted to the CA.
During certificate
Import, the Public Key (attached with the certificate) would be
matched against the Private Key (stored within Key Vault) to complete
the Key Pair.
Steps to generate csr in azure keyvault :
Sign into the Azure portal and select the key vault where you wish
to install your certificate.
Select Certificates in the right-hand Settings menu.
Click the Generate/Import button to open the Create a certificate
window.
Enter or select the details in the Create a certificate form fields
Select Certificate issued by a integrated CA / non- integrated CA and
other fields Click the Create button to generate your new key pair and
CSR.
And check this blog / Creating and merging a certificate
signing request in Azure Key Vault | Microsoft Docs for complete
details of steps.
References:
Get started with Key Vault certificates | Microsoft Docs
Access SharePoint online content using Azure key vault certificate
and Azure function app | Sundar’s blog (sundarcloud.com)
I am trying to validate a client certificate in Azure API management using context.Request.Certificate.Verify() method.
I have tried the following steps:
I have created self signed root CA certificate and then created a
client certificate and key file.
Now from postman, I am trying to call a method attaching the client certificate. I have verified that the certificate is sent to APIM via trace.
Have uploaded the root CA certificate in APIM -> CA certificates. While uploading I
converted to ".cer" file as it is not accepting ".crt" file and set the Store as "Trusted root".
In APIM policy, have used the method to validate the client certificate via context.Request.Certificate.Verify().
Now, when I try to call APIM api with client certificate, the above method (step 4) is always coming as False, verified from apim trace. Not sure, what and where I am doing wrong things. Any help/guidance or any article is really helpful.
I faced the similar issues, Investigation Summary / Cause are below:
Later customer encountered issue again when they sent PFX certificate as a client certificate to APIM from Postman.
The self signed certificate CRL distribution list (Urls in certificate revocation lists) and Access information cannot be publicly reached (APIM is public hosted and not internal) hence certificate.verify fails
2 options to fix the issue
Purchase a certificate from a Public trusted CA
Use context.Request.Certificate.VerifyNoRevocation instead of context.Request.Certificate.Verify so that APIM will not check the revocation list during certificate.verify
Note:
If certificate.verify is a mandatory order from your security team, then you would have to purchase a certificate from trusted CA
o you need to VerifyNoRevocation since apim cannot retrieve revocation list information and VerifyNoRevocation will still perform verifying certificate path as well
For client certificate validation in Azure API management generally following steps are required.
Generate a root CA , intermediate CA along with the client certificates.
Upload the intermediate certificate which validate client certificates sent by the user.
You van utilize this guide to set up the CA.
I have uploaded the issuer certificate in the azure key vault and now i want to send a CSR generated in my system to azure and get it signed by the Issuer certificate in the KV and return me back the signed certificate. Any idea on how to accomplish it?
I am sorry that you are not able to accomplish it. For Azure Key Vault's usage scenario, you may refer to What is Azure Key Vault?.
Just as explained in that article, for Certificate, Azure Key Vault lets you easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internal connected resources.
You can generate a new certificate from Public CA (DigiCert or GlobalSign).
If you want to use custom CA, you can only create a CSR, and get your certificate from that CA, and finally update your certificate to Azure Key Vault. Refer to: Create a certificate manually and get signed by a CA
I have purchased an app service wildcard certificate and would like to import this cert into Azure Key vault for other purposes. Once I export/import the cert into Azure key vault and use for other custom domains (for example: APIM) will the auto renew ability continue to work as expected (automatically) or will I be forced to manage the cert differently now stored in key vault?
Key Vault Certificates support automatic renewal with selected issuers - Key Vault partner X509 certificate providers / certificate authorities.
Non-partnered providers/authorities are also allowed but, will not support the auto renewal feature.
So, the cert imported into key vault will auto renew the cert instead of manually renewing it.
The renewal process of the certificate is managed on key vault, so doesn't matter where you use it, it will be the same renewal process.