How to Manage Certificates Through Azure Key Vault

Certificates are the spice of life. Okay, not really. But they are critical components for securing our IT and communication services through PKI. PKI is a complicated subject outside of the scope of this article, but what’s important is understanding that Azure Key Vault is how certificates are managed in Azure PKI products. So, let’s dig into Key Vault a little more. 

On a side note, if you need to learn how to use Azure Key Vault to pass the AC500 exam, take a look at our Azure Security certification prep course.

An Overview of Managing Certificates Through Azure Key Vault

As an Azure administrator, you have access to Azure Key Vault, which gives you many options for configuring and managing certificates. With this video, learn how to navigate the Azure Key Vault and make whatever configurations you need to.

What are Certificates?

Certificates serve a few purposes, but their primary use is to present identity. Think of a certificate as a digital driver’s license for IT services. Like driver’s licenses, certificates are dependable identifiers because they are signed and issued by a trusted outside source. Driver’s licenses are issued by the DMV while a certificate authority signs certificates. Certificate authorities are highly trusted entities.

When a certificate is presented to validate identification, the client is offered the certificate using cryptographic signatures from the certificate authority (or reaching out directly to the CA) as proof that the certificate authority did mint the certificate. 

How to Manage Certificates in Azure Key Vault

Azure makes managing certificates easy with Key Vault. Before creating certificates, though, you’ll need a Key Vault first. 

Think of a Key Vault as a security lockbox. We want to keep our certificates safe and sound, but we may want to organize them later, too. There are various reasons to have different Key Vaults, but that’s an explanation for a different article. 

For now, go to the Key Vaults dashboard inside your Azure account. Once on that page, look for the ‘+New’ button in the upper-left corner of the side navigation bar. Then, click that button and follow the on-screen instructions to create a new Azure Key Vault. 

How to Create a New Certificate in Azure Key Vault

Now that a Key Vault has been created for your Azure account, open it. A bunch of options will display inside the Key Vault management pane. Look through those options and find the Settings group. 

Take a moment to review each option available inside the Settings group. You’ll need to remember where to find these options later as your PKI solutions grow, but for the moment, select Certificates after reviewing the Settings group. 

After selecting Certificates, a new menu bar will display across the top of the Key Vault management pane. The far left side of the menu bar has a button that says ‘+Generate/Import.’ Use this button to create a new certificate inside your Azure Key Vault. 

Clicking that ‘Generate/Import’ button will launch a wizard in Azure. Creating a new certificate is as easy as following the instructions in this wizard. Before creating a new certificate, though, you’ll need to add a Certificate Authority to your Azure account first. Instructions for that process are below. 

How to Add a New Certificate Authority to Azure Key Vault

In the previous section, we explained how to add a new certificate to Azure Key Vault, but certificates don’t mean much unless a trusted Certificate Authority signs them. There is always the option of self-signing certificates, but self-signed certificates have as much worth as an ‘IOU’ sticky note. They shouldn’t be trusted. 

You’ll need to add a Certificate Authority before creating valid and trusted certificates in Azure. To do this, follow the same steps as the section above (Go to the Settings area in your Key Vault and choose Certificates). Next, look to the far right side of the menu bar at the top of the Azure Key Vault management pane for a button that says ‘Certificate Authorities.’ Click that button. 

Clicking that button will open a new portal window for managing certificate authorities. Since Certificate Authorities exist outside the certificate, they get their own management dashboard. A single Certificate Authority (E.g. Komodo) can sign many different, unrelated certificates. 

Look for the ‘+New’ button at the top of the Certificate Authority management dashboard. Use that button to add a new CA to the Azure Key vault. When adding it to Azure, you’ll need your account information handy for the Certificate Authority. 

Learn More About Azure’s PKI Solutions

In this article, we walked through the process of creating a new Azure Key Vault, adding a Certificate Authority to your Azure account, and creating new certificates using those Certificate Authorities for your Key Vault. There is so much more to learn, however. 

If you’re ready to take a deep dive into what Azure has to offer for PKI solutions, check out our training that covers the Azure Security Certification process. It’s also one of the easiest ways to study for the AC500 exam.