The certificates can be public and private Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificates signed by a certificate authority (CA), or a self-signed certificate. Key Vault can also request and renew certificates through partnerships with CAs, providing a robust solution for certificate lifecycle management.
A certificate created in Key Vault can be:
- A self-signed certificate.
- A certificate created with a CA that’s partnered with Key Vault.
- A certificate with a CA that isn’t partnered with Key Vault.
The following CAs are currently partnered providers with Key Vault:
- DigiCert: Key Vault offers OV TLS/SSL certificates.
- GlobalSign: Key Vault offers OV TLS/SSL certificates.
Key Vault auto-rotates certificates through established partnerships with CAs. Because Key Vault automatically requests and renews certificates through the partnership, auto-rotation capability is not applicable for certificates created with CAs that are not partnered with Key Vault.
We can create a certificate with a known issuer provider:
Azure Key Vault allows you to easily provision, manage, and deploy digital certificates for your network and to enable secure communications for applications. A digital certificate is an electronic credential that establishes proof of identity in an electronic transaction.
Azure Key Vault has a trusted partnership with the following Certificate Authorities:
Azure Key Vault users can generate DigiCert/GlobalSign certificates directly from their key vaults. Key Vault’s partnership ensures end-to-end certificate lifecycle management for certificates issued by DigiCert.
How to add GlobalSign certificate authority
- To add GlobalSign certificate authority, go to the key vault you want to add it to.
- On the Key Vault property page, select Certificates.
- Select the Certificate Authorities tab:
Update certificate lifecycle attributes to renew certificate automatically
Azure Key Vault handles the end-to-end maintenance of certificates that are issued by trusted Microsoft certificate authorities DigiCert and GlobalSign.
- Validity Period: Enter the value (in months). Creating short-lived certificates is a recommended security practice. By default, the validity value of a newly created certificate is 12 months.
- Lifetime Action Type: Select the certificate’s auto-renewal and alerting action and then update percentage lifetime or Number of days before expiry. By default, a certificate’s auto-renewal is set at 80 percent of its lifetime.
| Automatically renew at a given time | Email all contacts at a given time |
|---|---|
| Selecting this option will turn on autorotation. | Selecting this option will not auto-rotate but will only alert the contacts. |
Get notified about certificate expiration
To get notified about certificate life events, you would need to add certificate contact. Certificate contacts contain contact information to send notifications triggered by certificate lifetime events. The contacts information is shared by all the certificates in the key vault. A notification is sent to all the specified contacts for an event for any certificate in the key vault.